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Chapter 1 : Getting Started 

Welcome to ESM and the ArcSight Console. 

ESM is a comprehensive software solution that combines traditional security event monitoring with 
network intelligence, context correlation, anomaly detection, historical analysis tools, and automated 
remediation. It consolidates and normalizes data from disparate devices across your enterprise 
network in a centralized view. 


Starting the Console 

Start the Console as you would any other application. The login mechanism varies according to the 
type of authentication you have set up during installation. 

Depending on the chosen shortcuts during installation, start the Console using any of these methods: 

• Using the Console desktop icon 

• Selecting from the system tray 

• Selecting from the Start menu 

Alternatively, open a command window in the Console’s bin directory and type 
arcsight console 

If you are using SSL authentication, set it up and import the certificate as described in the 
Administrator’s Guide’s “Configuration” chapter, in the section entitled “Understanding SSL 
Authentication.” After the certificate is imported, you can start the Console without entering a user ID or 
password. 

If you are using password authentication, see the Administrator’s Guide’s “Configuration” chapter, in 
the section entitled “Managing Password Configuration.” Log in with your user ID and password. 
Certificates are imported automatically. 

If you have selected “Password or SSL Authentication,” you choose which way to log in, each time. 

If you are using FIPS and using a browser, make sure that browser is configured for FIPS. Seethe 
Administrator’s Guide’s topic on “Configure Your Browserfor FIPS.” 


Quick Start Tools and Standard Content 

The Console serves as the control point for administrators to configure ESM content and resources; 
and manage, monitor, and respond to network security issues across the enterprise. 


HP ESM (6.9.1c) 


Page 38 of 1 1 06 


ArcSight Console User's Guide 
Chapter 1: Getting Started 


A Network Model Wizard is provided to facilitate the process of describing network devices and assets 
in ESM. For more about the Network Model wizard and instructions how to use it, see 'Populating the 
Network Model Using the Wizard" on page 110. 

A set of coordinated resources (filters, rules, dashboards, reports, and so on) is provided to address 
common security and management tasks. The set of standard content is designed to give you 
comprehensive correlation, monitoring, reporting, alerting, and case management out of the box, with 
minimal configuration required on the Console. 

For information about standard System or Administration content, refer to the Standard Content Guide 
— ArcSight Administration and ArcSight System. All ESM documentation is available on Protect 724 at 

(https ://protect724. hp. com). 


Use Cases 

Use cases are special groupings of related ArcSight content that address specific security issues and 
business requirements. 

Use cases provide an integrated Console-based alternative for viewing and interacting with resources 
to the standard one-resource-at-a-time viewing method offered in the Resource tree of the Navigator 
panel. You can configure shared resources in a single operation, and export related resources in an 
ArcSight Resource Bundle (arb)foruse in other ArcSight instances. 

HP provides use cases for some of the standard content that is installed with ESM and for additional 
content (Security Use Cases) provided through the Marketplace. The standard content use cases are 
described in the ArcSight Administration and ArcSight System Standard Content Guide. Each Security 
Use Case comes with its own documentation that provides information about how to install, configure, 
and use the use case. 

Tip: Use case configuration requires having a network model in place. Model your network first as 
part of the initial configuration of ESM. Follow instructions in "Modeling the Network" on page 98. 
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In addition to the capabilities built into the Console, the Console itself is a tool with its own 
characteristics and specialized controls. The Help topics in this section describe the basics of using 
Console tools and controls to make the most of its features. 


Navigating 

Use the Navigator panel on the Console to locate and manage security resources, and the Viewer and 
Inspect/Edit panels to analyze resource data and view or adjust the attributes of the resources 
producing the data. 


The Navigator panel showing the Dashboards resource tree 


Resources 

Packages Use Cases 


|fj*) Dashboards 

Ctrl+Alt40 ▼ 


Dashboards 


Data Monitors 


ArcSight Administration 


E B Dashboards 

h* admin's Dashboards 
SB Shared 

SB All Dashboards 

E)B 

0-B Connectors 
SB System Health 

1 5f| Connector Connection and Cache ! 
; (S*| Current Event Sources 
1 |Sf| Device Status 
SO Devices 
S B ESM 

S O Configuration Changes 
SB Content Management 
S O Event Analysis Overview 
SO HA Monitoring 
S B System Health 

|uf| ESM System Information 
S O Events 


The resources available in the Navigator panel can be affected by permissions set for your user type. 
On the Navigator panel, you can: 
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• Choose a resource tree from the drop-down list. 

• Expand (+) and collapse (-) resource groups to locate particular subgroups or individual resources. 
You can also use the keyboard right arrow key to expand and left arrow key to collapse the 
Navigator resource trees. 

• Right-click groups or individual resources to choose from their context menus. 

Use the Viewer or Inspect/Edit panels to see or act on the results of the context menu commands. 


Navigator Panel Resource Tree 


Resource Tree on the Console’s Navigator Panel 


Tree Icon Resource 

Active 

Channels 

0 

Create, modify, and delete security-event views that actively and continuously 
evaluate the events they display, on the basis of time and other filter 
conditions. This view also includes the Field Sets resource tree for managing 
named field sets. See "Monitoring Events" on page 210. 

Actors 


Map humans or agents to activity in applications and on the network, and 
identify actors behind events. See "Actors" on page 740. 

Assets 

(□1 

Security-sensitive devices and device groups installed in your enterprise, and 
the known exposures to potential threats those devices may represent. 

Assets also includes the related network, zone, location, category, and 
vulnerability information you use to manage network devices. See Modeling 
the Network" on page 98. 

Cases 

O 

Track enterprise security incident cases, by status and priority. See "Case 
Management and Queries" on page 596. 

Connectors 

£ 

Manage the SmartConnectors installed at your enterprise. See ’ Managing 
SmartConnectors" on page 140. 

Customers 

ES 

Manage resources that represent the security concerns of particular MSSP 
(Managed Security Services Provider) clients. See "Managing Customers" on 
page 138. 

Dashboards 

fri| 

1 ■■■ | 

Various event data monitors and their library of supporting resources. See 

"Using Dashboards" on page 238. 

Field Sets 

m 

Define subsets of available data fields so you can quickly focus a grid view, an 
Event Inspector, or other field arrays on a particular context. See 'Field Sets" 
on page 546. 
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Resource Tree on the Console’s Navigator Panel, continued 


Tree 

Icon 

Resource 

Files 

0 

The Files resource tree, when populated, lists files saved as resources on the 
Manager. This makes them accessible to all users of the system who are 
authorized for such access. File resources include Case file attachments, 
templates, and general-purpose shared files. See Managing File Resources" 
on page 67 1 . 

Filters 

© 

Event filtering definitions, organized in groups. See "Filtering Events" on 
page 286 and "Managing Filter Groups" on page 294. 

Integration 

Commands 

0 

Application integration resources used to configure and launch commands, 
tools, and views in custom and third party applications and other ArcSight 
products from within the Console. Provides the ability to configure custom 
scripts, URLs, and Connector commands, and integrate them into the 

Console Ul in various contexts. Leverages velocity expressions and the Ul 
contexts for pulling the content of event data, for example, as command 
parameter values. Provides support for ArcSight Network Synergy Platform 
(NSP) and Threat Response Manager (TRM). See 'Integration Commands " 
on page 623. 

Knowledge 

Base 

a 

A database of articles and groups of articles that aid problem-solving, 
analysis, and operation. See "Getting Knowledge Base Articles" on page 285 
and "Knowledge Base Authoring" on page 665. 

Lists 

s 

Active Lists are lists of active source and target IP addresses of interest, as 
defined by enterprise rules. See List Authoring" on page 469 for more 
information. 



Session Lists are similar to active lists, but are optimized for time-based 
queries and monitoring of rule-driven combinations of event attributes or 
custom fields. See Identity Correlation" on page 569 for more information. 

Notifications 


Destinations and settings for the automatic messages that alert you to pre- 
defined situations or events. See " Acknowledging Notifications" on page 56 
and "Managing Notifications" on page 203. 

Pattern 

Discovery 


Profiles to capture, and snapshots of, potentially threatening event patterns. 

See "Pattern Discovery" on page 710. 

Query 

Viewers 


A resource for defining and running SQL queries on other ESM resources 
(independent of reports), including trends, assets, cases, connectors, events, 
and so forth. Each query viewer contains an SQL query along with other logic 
for establishing and comparing baseline results, analyzing historical data to 
find patterns in network activity, and performing drill-down investigation on a 
particular aspect of the results. Query viewers can use the same queries as 
reports do, but can be run independently of them. See Query Viewers" on 
page 323. 
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Resource Tree on the Console’s Navigator Panel, continued 


Tree Icon Resource 

Reports 

a 

Definitions for, and archived output from, various activity reports. See 
"Running and Managing Reports" on page 448 and "Building Reports" on 
page 371. 

Rules 

a 

Rules and groups of rules created for isolating, analyzing, and responding to 
events. See "Rules Authoring" on page 493. 

Saved 

Searches 

m 

Saved Searches are created on the ArcSight Command Center. Refer to the 
ArcSight Command Center User’s Guide for information on how to create and 
save searches. 

This resource is displayed on the ArcSight Console for packaging and content 
synchronization purposes. See "Managing Resources" on page 670 and 
"Managing Packages" on page 693. 

Search 

Filters 

GD 

Search Filters are created and used on the ArcSightCommand Center. Refer 
to the ArcSightCommand Center User’s Guide for information on how to 
create searches, then save them as filters. 

This resource is displayed on the ArcSight Console for packaging and content 
synchronization purposes. See "Managing Resources" on page 670 and 
"Managing Packages" on page 693. 

Stages 

0 

Workflow and annotation features for real-time analyst collaboration on 
security events. 

Use Cases 

© 

Resource collections that address common security issues and business 
requirements. 

When use cases are installed, a Use Case tab is displayed in the Navigator 
panel. A wizard is available for configuration of the use case resources. 
Instructions for using the wizard are provided in the documentation provided 
with the specific Use Case. 

Users 

a 

ArcSight users and user groups. See "Managing Users" on page 180. 


Using SmartFolders 

ArcSight has special, automatically maintained folders to track the results of your case searches or to 
track your currently selected replay rules and currently running reports. When you create them, these 
folders appear just below the root of each resource type in the Navigator, prefixed with your ArcSight 
username. 
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To create a case-search SmartFolder: 

1 . Right-click a folder in the Cases tree and choose New Search Group in the context menu to open 
the Search Group Editor. 

2. Use the Editor to define a search that updates dynamically each time a change occurs to one of 
your cases. 

A given group contains the result of this search when it is applied to those cases. 

Using Reports SmartFolders 

The Reports tree in the Navigator panel shows a folder for each username and the suffix “Reports.” 
These folders list the reports that user is applying, and the right-click context menu offers the 
commands available for those reports. These folders are maintained automatically and you cannot 
change them. 

You can use this feature to control report runs. For example, if a report is running too long and you 
would like to end it, right-click it and choose Stop Report. 

Note: Reports you run using the Run button in the Report Editor are initiated outside the usual 
Console processes. These reports do not appear in, and are not controllable from, the Reports tree 
in the Navigator. 


Using Resource Groups 

You can group resource types in the Navigator panel to help you organize and manage them. Groups 
can also be hierarchical, resulting in “trees” of resources. Apart from the characteristics of the 
resources involved, such as assets or vulnerabilities, each group identity has certain properties you 
can edit in the Group Editor. 

Adding or Editing a Resource Group 

To edit a resource group: 

1. To add a group, right-click a resource group and choose New Group. 

Or to edit an existing group, right click the group and choose Edit Group. 

2. In the Group Editor, enter or change the group attributes you want to change. 

Entering data in the Common and Assign sections is optional, depending on how your environment 
is configured. For information about the Common and Assign attributes sections, as well as the 
read-only attribute fields in Parent Groups and Creation Information, see " Common Resource 
Attribute Fields" on page 685. 
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3. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

4. Click Apply to put your changes into effect but leave the editor open. Click OK to apply your 
changes and also close the editor. 

Fields containing system information (like Creation Time) are not editable. 

See 'Reference Pages" on page 1017 for more about using the Group Page and Member's Page 
fields. 

See 'Job Scheduler" on page 996 for information about scheduling tasks or “jobs” for reports 
(individually or by group), rules, or Pattern Discovery snapshots. 

Using the Categories Tab for Asset Groups 

The Group Editor for groups in the Assets tab of the Assets resource tree has an additional Categories 
tab. This tab has two sub panels: Local Asset Categories and Inherited Asset Categories. Local 
shows assets that are explicitly assigned to categories. Inherited shows assets whose category 
connections are presumptions based on a parent's group or a simple asset-range association. 


Batch Editing 

You can make common edits to multiple case or SmartConnector resources by selecting a set of either 
type in the Navigator panel and changing their common fields in the Case or Connector Editor. 

Batch-Editing Cases or Connectors 

Where: 

• Navigator > Resources > Connectors, or 

• N avigator > Resources > Cases 

To batch-edit cases or connectors: 

1 . Ctrl+click or Shift+click to select a set of individual cases or SmartConnectors in their respective 
resource trees in the Navigator panel. 

2. Right-click the selected items and choose Edit. 

3. Make changes to the appropriate common fields, such as Description or Owner. 

4. Click Apply to record your changes and leave the editor open, or click OK to save and close. 
Saving affects only the fields you have changed, in each of the selected resources. 
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Cases Reminder 

Use the Lock Case check box to lock and unlock cases in batches. 

SmartConnector Reminders 

Batch changes affect only default configurations, not alternates. However, you can add new alternate 
configurations by batch editing. 

Note that if you make changes under the Filters tab, the entire tab's contents are saved to the selected 
SmartConnectors. 

You can batch-edit connectors only of the same version. 


Reconnecting to the Manager 

If your Console loses its connection to the Manager, a dialog box enables you to Retry the connection, 
Relogin, or to Cancel the connection. Try these options in this order. 

A connection to the Manager cannot be re-established if the Manager is restarted or if a network 
problem prevents communication with the same Manager. In such cases, click Cancel and start the 
Console again, using an appropriate Manager host name. 


Viewing 

This section provides information on using the Console Viewer Panel and choosing look-and-feel 
options (skins) for the Console. 

Topics include: 

• "The Viewer Panel" below 

• "Console Look-and-Feel" on page 48 


The Viewer Panel 

You see the products of security-event analyses in the Viewer panel, which can display several 
different types of views. (See also "Using Views" on page 210.) 

Although there are some views that display information about resources, most views are active 
channels, which are continuously evaluated collections of security-event data. (See also "Monitoring 
Active Channels" on page 210.) 

Tip: Here are some Viewer Panel features you can use. 
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. To show a resource (like a particular dashboard or active channel) in the viewer, right-click it in 
the Navigator tree and choose Show <resource>. 

. To close individual views quickly, Shift+click their name tabs. (You can also right-click a view 
name tab and choose Close from the popup menu.) 

• To float the Viewer panel, click the Float icon at the top left of the Viewer. 


The Viewer tabs in the Viewer panel have a live link at the top. You can click these links to open the 
contents in an external, fully functional browser window. 

For security reasons, HTML that might include JavaScript, plug-ins, or other embedded objects are 
rendered in the default browser you specify through the Preferences dialog box. The default browser is 
also used by PDF document files. 


To show a resource (like a 
dashboard or active channel) 
- in the Viewer, right-click it in 
the Navigator and choose 
Show < resources 
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If your Console is not already displaying a default set of pre-defined views, or if you want to change the 
views displayed, you can use these options: 
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• Choose Window > Viewer Panel to open the panel if it isn't open. 

• Choose the Active Channels, Dashboards, or Pattern Discovery resource trees in the Navigator 
panel to find analysis tools or results to view. 

• Right-click a resource in a tree and choose Show <resource> to open it in the Viewer panel. 

• When multiple tabbed views are open in the panel, click the tabs at the top of the panel to choose 
the active channel you want to see, and the tabs at the bottom of the panel to choose which view of 
that active channel should be foremost. 

To close an individual view, Shift+click its name tab. (You can also right-click a view name tab and 
choose Close from the popup menu.) 

Using active channels and the many types of views they offer is fully covered in the topics under these 
headings: 

• "Monitoring Events" on page 210 

• "Selecting and Investigating Events in Active Channels" on page 274 

• "Using Dashboards" on page 238 


Console Look-and-Feel 

If you start the Console from the command line with the arcsight console command (in ARCSIGHT_ 
HOME/current/bin), use the -laf <style> flag to specify a look-and-feel style. For example, the 
following command starts the Console with a “metal” look-and-feel: 

arcsight console -laf metal 

The other possible styles are plastic, the default for Unix, and plastic3d. 

These styles modify the Console display and associated online help. 

The screen captures and illustrations used throughout the Console online help show various look-and- 
feel styles. 


Inspecting and Editing 

ArcSight Console provides the Inspect/Edit panel to examine the details of events that appear in active 
channels in the Viewer panel, or to modify the resource attributes in the Navigator panel. You can 
examine security events through the Inspect/Edit panel's Event Inspector, and edit resources using 
specialized editors, one for each specific resource type. 

Note: Press Enter to register edits made in editors and channel columns. 
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To ensure that ESM registers a change you make to a field in editor and channel columns, press 
Enter before clicking Apply or OK. 


Overview of Inspect/Edit Features and Utilities 

Each editor has its own controls and attributes, described in the Help for each resource. 



The Inspect/Edit panel opens automatically if you double-click an event in a grid view or choose to edit 
a resource in the Navigator panel. You can also right-click an event in a grid view and choose Show 
Event Details. To explore the Inspect/Edit panel, you can: 

• Choose Window > Inspect/Edit Panel to open or restore the panel, if it already has inspectors or 
editors in it. If no inspectors or editors are open, the panel isn't available. 

• If no editors or inspectors are open, or to work with different ones, double-click an event in a grid 
view or right-click an item in a Navigator panel resource tree and choose Show <resource>. 
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• To clear an editor from the Inspect/Edit panel, right-click its tab and choose Close. 

• Click the Hide Empty Rows button (L ) beside the Select a Field Set menu to see only populated 
fields. 

• Click the New Field Set button ( 0 ) to create a new field set. 

• Click the icon toggle button (^) to show/hide icons next to each field entry. 

Searching for Fields in Event Inspector, Resource Editors, or 
CCE 


To find an item in a list of fields on the Event Inspector, any Resource Editor, or the "Common 
Conditions Editor (CCE)", start typing the search string in the Search for field at the bottom of the 
panel. The search is predictive in that it will navigate to and select matching fields as you type. The 
Search utility works essentially the same way in the Event Inspector and in resource editors that use 
field sets and filters (and, by association, the CCE). 



Start typing In the 
Search for field to 
highlight the first match. 


If you start to type a term that is not in the field list, the search text turns red. If you backspace and start 
deleting text, the text will change from red to black when a matching field is found. Resume typing to 
find another matching term. 

To exit the Search, press the Enter key. 
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Getting More Help 


The best way to learn more about the Event Inspector and each of the many resource editors is to click 


the question mark button ( ? ) in the upper-right corner of the Inspect/Edit panel or Help button ( 
in the lower right of a resource editor. 


Help 


> 


Controlling the Console 

The Console has certain common controls for basic tasks like copying and pasting, and showing or 
hiding panels or the status bar. 

There are four toolbars under the Console menus. Each button has an identifying tool tip, but the full 
descriptions are as follows. 

To show or hide toolbar components, right-click the toolbar and select or deselect the sections you 
want to change. 


Console’s Toolbar Components 


Command 

Group 

Icons Functions 

File 


New resource, Open, and Save. Saving and opening 
applies to Console settings (.ast) files. 

Edit 

K % ^ K 

The Cut, Copy, Paste, Delete, and Search, buttons 
operate as they do in any application. Cutting, 
copying, and pasting applies to text and resources. 

Channel 

controls 

j ioo <w OD HH [q] oo ood ! 

The Replay buttons have the same functions in 
certain views on the Viewer panel as their 
counterparts do on VCRs or CD players. From left to 
right, the buttons are: Rewind to Start, Rewind 
Incrementally, Pause, Play, Stop, Go Forward 
Incrementally, and Go Forward to End. Use the 
Replay buttons when working with channels 
configured for this mode. 

Window 


Click the Show/Hide buttons to open or close the 
Navigator, Viewer, and Inspect/Edit panels; and 
status or menu bars. Click the Floating button to bring 
floating windows forward. 

Network 

Tools 


These buttons run standard IP-based network 
analysis tools as described in "Using the Network 
Tools" on page 53. 
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Console’s Toolbar Components, continued 


Command 

Group Icons Functions 

System 

©D 

Open a scheduled jobs list and add user 
categorizations to selected events. 

View 


The Notifications button, if blue, indicates there are 
no new notifications. The button turns red if you have 
messages to acknowledge. Click the button to open 
the Notifications manager in the Viewer panel so you 
can acknowledge the notification and resolve the 
issue. 

The Slide Show button enables you to start an image 
dashboard slide show and set the interval. 

Status Bar 


The status bar is across the bottom of the Console 

window. Use the Window > Status Bar menu 
command to toggle it on or off. When the status bar is 
showing, it displays Console operation messages. 
Normal status messages appear in blue and error 
messages are red. 

To view details on a message, click the message in 
the status bar. The ArcSight Messages dialog is 
displayed with the current message highlighted. From 
this dialog, you can access console messages, 
system messages and user notifications. 

To copy any message from the Messages dialog, 
highlight it and click Copy. The message is copied to 
the clipboard along with associated date and time. You 
can then paste the message into any other window, 
mail program, or editor that accepts ASCII text. 


To save error and warning messages: 

While using the Console interface, certain error messages, warnings, and notifications may appear in a 
small dialog box: 



HP ESM (6.9.1c) 


Page 52 of 1106 



ArcSight Console User's Guide 
Chapter 2: Working in the Console 


To capture the message and supporting data, click the Copy button or check Copy message to 
system clipboard to copy the entire message to the Clipboard. You can then paste the error message 
in text fields in the ArcSight Console, into the body of an e-mail message, or other applications. 


Using the Network Tools 

The network tools, shown here, are also available from the Tools menu. 

ArcSight provides Network Model, Use Case, Name Server Lookup, 

WebSearch, and Who is as default utilities. Most of these tools are utilities you use to investigate 
events in grid views. In a grid view, you right-click an event to access these tools from a context menu. 
A wizard-based utility called Send Logs gathers logs and diagnostic information for review or which 
you can email to customer support. 

You can add, copy, edit, or delete network tools using the Tools menu in the menu bar. The toolbar 
buttons and menu commands adjust automatically to such changes. 

Tip: The Network Tools are also available as integration commands (see "Network Tools as 
Integration Commands" on page 659). 

These tools are available in both places on the Console Ul, but for future releases the legacy 
“network tools” feature described here will be phased out in favor of the integrations commands. 

The same, customizable tools and commands will be available (ping, whois, and so on), along 
with other new commands and a full set of application integration features. 

To configure these tools, choose menu option Tools > Local Commands > Configure, as 
described in the following topics: 

. "Running a Tools Command" below 

. "Adding or Editing a Tool" on the next page 


\ Sj m. 

Ping, Port Usage, Trace, 


Running a Tools Command 

To run a tools command: 

1. In a grid view, select an IP address. 

2. Right-click and select Tools, then one of the tool options described below: 
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Tool Options 


Tree 

Icon 

Resource 

Network 

Model 


Configure the network model. This button launches the Network Model 
wizard. 

Use Case 

m 

Configure a use case. 



Instructions are in the documentation that comes with each Security Use 
Case. 

Send Logs 

% 

Access this from the Tools > Send Logs menu. Start the Send Logs 
wizard to gather logs and diagnostic information. Logs and diagnostics 
can be collected for all ora selected set of ArcSight components. (See 

"Send Logs" on page 1040.) 

Local Commands: 

Nslookup 

El 

Resolve an 1 P address to a host or domain name or vice versa. 

Ping 

If! 

Determine whether an IP address in the selected cell is online. Test and 
debug a network by sending a packet and waiting for a response. 

Portlnfo 

% 

List standard usage, for example, WWW, FTP, and so on fora specified 
port number. 

T raceroute 

fi? 

Show the path from the Console to the IP address selected in the grid 
view, reporting the IP addresses of all routers in between. 

WebSearch 

% 

Search the Web through Google to find links to the keywords present in 
currently selected active channel grid view cells. 

Whois 

a 

Look up who is behind a given domain name; information might include 
addresses and telephone numbers. 


3. Based on the tool selected, a window appears with the information. 

4. In the window, click Close. 


Adding or Editing a Tool 

To add or configure (edit) a tool: 

1 . Choose the menu command Tools > Local Commands > Configure. 

2. In the Configure Tools window: 
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■ Click New if you are adding a tool, or 

■ Select an existing tool and click Edit. 

3. In the Tool window, set options for command line parameters to be used for the program, 
described below: 

Tool Configuration Options 


Option Description 

Name 

User-friendly name for this tool. 

Program 

Path to the executable file. 

Working 

Directory 

Default location assumed for arguments to the command. 

For example, to create a command (for example, delete <f ile> . ast) that acts 
on a file type that always resides in the same directory, specify the location here 
to save users from having to provide the full path to the file each time they use the 
command. 

Icon 

Path to the icon image file used to represent the tool. 

Program 

Parameters 

Provide any parameters needed for the command. 

You can type parameters in the field, or click the ^ button to get a pull-out menu 
where you can select Event Attributes to use as parameters, or add the selected 
cell or selected row as parameters to the command. 

Show in 

toolbar 

When Show in toolbar is on, the tool icon is shown in the Console toolbar. By 
default, this option is selected. 

Use with 
data export 

The purpose of this option is to separate tools that are run against events in 
channels and tools used as a destinations for event export. 

By default, this option is not selected (off). 

If this tool is to be used as a destination for event export, select Use with data 
export. 

If this tool contains a command that will run against events in a channel, leave 

Use with data export off. 


4. Name, Program, Working Directory, Icon, and Program Parameters (command line 
parameters to be used for the program) are text fields. Also select whether you an the tool to show 
in the toolbar 

5. Click OK, then Done. 
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To delete a tool: 

1 . Choose menu command Tools >Local Commands > Configure. 

2. In the Configure Tools window, select an existing tool and click Delete. 

3. In the dialog box, click Yes. 

4. Click Done. 


Staying Informed 

This topic discusses ways by which the Console helps you stay informed about developing situations 
involving events, and critical system status. 

In addition to the security-event information ArcSight collects and analyzes, you can get, record, and 
pass other types of working information. This additional information falls into categories described here. 

Topics include: 

• " Acknowledging Notifications" below 

• "Using Notes" on the next page 

• "License T racking" on page 58 


Acknowledging Notifications 

To be informed when certain defined events or circumstances occur. You might receive notifications by 
cell phone message or e-mail but you can be sure to see an indicator in the "f * 1 Notifications button in 
the toolbar line of the Console. 

Notifications can be sent as a result of a rule action, or by another user monitoring events in a grid. 
Clearing a notification requires that you acknowledge it. Whether or not you need to take other action 
depends on the circumstances. Acknowledgements are described briefly here, but for full detail, see 

"Managing Notifications" on page 203. 

To acknowledge a cell phone message: 

Acknowledge a call by replying to the e-mail sent through your cell phone. An e-mail enabled cell phone 
is required for receiving notifications and replying to them. 

To acknowledge an e-mail message: 

Acknowledge an e-mail message by replying to the message. Reply to the e-mail address from which 
the notification was sent. 
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To acknowledge notifications at the Console: 

The Console automatically alerts you of pending acknowledgments. The Acknowledge Notifications 
button is automatically enabled when you have one or more notification messages to be acknowledged. 
When you click the Acknowledge Notifications button, the Notifications manager opens in the 
Viewer panel so you can acknowledge and resolve the notification. 


Using Notes 

Each resource and resource group in the Navigator panel has an editor, and each editor has a Notes 
tab. The Notes tab retains all the text that you and others add to the resource. 

Notes tabs have Table and List sub-tabs to show you tabular or text layouts of the notes accumulated 
for a resource. Notes are stored chronologically and you can sort them by clicking the Date, Owner, 
and Text headers. 

To add a note: 

1 . On the Navigator panel resource tree, right-click a resource group or individual resource. 

2. For a resource group, choose Edit Group. For a resource, choose Edit <resource>. 

3. In the Inspect/Edit panel, click the editor's Notes tab. 

4. In the Notes space, type a note. 

5. Click Save and then OK. 

To view a note: 

1 . On the Navigator panel resource tree, right-click a resource group or individual resource. 

2. For a resource group, choose Edit Group. For a resource, choose Edit <resource>. 

3. In the Inspect/Edit panel, click the editor's Notes tab. 

To delete a note: 

1 . On the Navigator panel resource tree, right-click a resource group or individual resource. 

2. For a resource group, choose Edit Group. For a resource, choose Edit <resource>. 

3. In the Inspect/Edit panel, click the editor's Notes tab. 

4. Right-click a note and choose Delete. 

To search for text strings in Notes: 

You can run a search on a resource's Notes tab. Refer to the topic, "Finding Resources" on page 687. 
That topic provides instructions on using the Search field on the Console's toolbar and entering correct 
search syntax. 
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License Tracking 

The product tracks the status of licenses forfeatures you use, including actors, Console user limits, 
device number limit, actor and asset number limit, and events-per-second limit. 

Licenses for the features available to you are installed and configured at setup time. For details about 
setting up licenses during the installation and configuration process, see the ESMInstallation and 
Configuration Guide. 

Note: License tracking includes disabled and deleted actors. 

The ESM license tracking feature includes actors that are still in the ESM actor model with the 
status Disabled or Deleted in I DM. ESM’s identity management feature preserves disabled and 
deleted actors in the actor model to track any unauthorized activity related to disabled or deleted 
actors. 

If you do not want the ESM license tracking feature to evaluate actors with the status Disabled or 
Deleted in I DM, you can manually remove them from the ESM actor model. However, manually 
removing disabled or deleted actors also removes the ability for ESM to track unauthorized activity 
related to these accounts. For details, see 'Deleting Actors" on page 766. 

License Tracking Notifications 

If your feature usage is close to or has exceeded the license agreements for your organization, you see 
a notification dialog when starting up the Console, for example: 



Your access to these features remains in place even if the license limit has been exceeded. 

Standard Reports for License Status Tracking 

You can check on the status of your ESM feature licenses using the reports and focused reports found 
under All Reports/ArcSight Administration/ESM/Licensing. 

Each report is described in the topic, "ESM Licensing," in the ArcSight Administration and ArcSight 
System Standard Content Guide. 

For details about running reports, see "Running and Managing Reports" on page 448. 
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Using the File Menu 


Keyboard shortcut: Alt+F 

See also "Keyboard Shortcuts (Hot Keys)" on page 66. 

Options on the File Menu 


Option 

Icon 

Resource 

Shortcut 

New 

□ 

Create a new resource from the available submenu. 


Open 

& 

Open an existing Console settings file to use that configuration. 

Ctrl-0 

Save 

m 

Save your latest Console settings in the current configuration file. 

Ctrl-S 

Save As 


Save your current Console settings in a different configuration file. 


Save to 
Manager 

% 

Save your current Console settings at the ArcSight Manager rather 
than locally, so you can get these settings at a different Console. 


Load 

From 

Manager 

b 

Load a preferred Console configuration file from the ArcSight 

Manager, so you can use it with this Console. 


Send To 


Send a local Console configuration (.ast) file to an e-mail address so 
another user can save and use it with their Console. 


Log Out 


Log out of the Console with your current user ID, without exiting, so 
someone else can log in. 


Exit 


Log out of the Console and exit. 

Alt-F4 


Using the Edit Menu 


Keyboard shortcut: Alt+E 

See also "Keyboard Shortcuts (Hot Keys)" on page 66. 

Options on the Edit Menu 


Option 

Icon 

Resource 

Shortcut 

Cut 


Cut selected text. 

Ctrl-X 

Copy 

% 

Copy selected text or resources. 

Ctrl-C 

Paste 


Paste text or resources from the clipboard. 

Ctrl-V 
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Options on the Edit Menu, continued 


Option 

Icon 

Resource 

Shortcut 

Delete 

X 

Delete selected text or resources. 

Delete 

Select All 

% 

Select all text. 

Ctrl-A 

Preferences 

El 

Open the Preferences dialog box to make personal configuration 
changes. 


Find 

Resource 


Use the Find Resource query editor to search for resources and 
review their details. 

Ctrl-F 


Using the View Menu 

Keyboard shortcut: Alt+V 

See also "Keyboard Shortcuts (Hot Keys)" on page 66. 


Options on the View Menu 


Option Icon Resource 

New Active 

Channel 

0 

Open the New Active Channel dialog box so you can set up 
and start a new active channel in the Viewer panel. 

Ctrl+Shift- 

D 

Show Active 

Channel 

0 

Open the Active Channel Selector dialog box so you can 
choose an active channel to display in the Viewer panel. 

Ctrl+Shift- 

S 

Recent Active 

Channels 

0 

Choose a recently opened active channel to display in the 
Viewer panel again, if available. 


Resource 

Hotkeys 


Show currently programmed keyboard shortcuts for actions 
on the Console. These keyboard shortcuts are defined in 
the Console Preferences dialog (Edit > Preferences > 
Manage Hotkeys). For more information, see "Keyboard 
Shortcuts (Hot Keys)" on page 66. 


New Dashboard 

|7j*j 

Create a new, untitled and empty dashboard to populate 
with data monitors. 

Ctrl+Shift- 

B 

Show Dashboard 


Open the Load Dashboards dialog box so you can select 
dashboards to open in the Viewer panel. 

Ctrl+Shift- 

W 

Recent 

Dashboards 


Choose a recently opened dashboard to display in the 

Viewer panel again, if available. 


Notification 

Acknowledgement 


Show all Notifications for the current user (pending, 
undeliverable, not acknowledged, acknowledged, and 
resolved) 

Ctrl-N 
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Options on the View Menu, continued 


Option 

Icon 

Resource 


Show Messages 

O 

Show all Console messages, system messages, and user 
notifications in the ArcSight Messages dialog. 

Ctrl-M 

Next View 


Take you to the next open view or tab in the Viewer panel. 

Ctrl+Shift- 

N 

Previous View 


Take you to the previous open view in the Viewer panel. 

Ctrl+Shift- 

P 

Close All Views 


Close all views that are open in the Viewer panel. 


Slide Show 

1 D 

Show a continuous slide show of all open channels and 
dashboards. 

F1 1 

(Toggle to 
start or 
stop) 


Using the Window Menu 


Keyboard shortcut: Alt+W 

See also "Keyboard Shortcuts (Hot Keys)" on page 66. 

Options on the Window Menu 


Option 

Icon 

Resource 

Shortcut 

Navigator 

Panel 


Show or hide the Navigator panel. 

Ctrl-1 

Viewer Panel 

m 

Show or hide the Viewer panel. 

Ctrl-2 

Inspect/Edit 

Panel 


Show or hide the Inspect/Edit panel. 

Ctrl-3 

Status Bar 

5 

Show or hide the status bar. 

Ctrl-4 

Floating 

3 

Bring to the front one of the listed floating (undocked) windows, 
if available. 



Using the Tools Menu 

Keyboard shortcut: Alt+T 

See also "Keyboard Shortcuts (Hot Keys)" on page 66. 
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Options on the Tools Menu 


Option 

Sub-menu 

Icon 

Resource 

Shortcut 

Local 

Commands 

Configure 

[=N 

Add, copy, edit, or delete Network Tools. 

Alt-C 


Results 

a 

Display the Tool Results dialog box. 

Ctrl+Shift- 

R 


Nslookup 


Resolve an IP address to a host name. 



Ping 

tfl 

Determine whether an IP address is online. 



Port Info 

% 

List the default protocol usage for a specified port 
number (for example, WWW, FTP, SMTP). 



T raceroute 

£5 

Show the path to an IP address. 



WebSearch 

* 

Use Google to search the web for event-related 
keywords. 



Whois 

m 

Find the registered owner of a given domain name. 


Network 

Model 


*2 

Launch the Network Model wizard. See 'Populating 
the Network Model Using the Wizard" on page 110. 


Use Case 


m 

Launch the Use Case wizard. Refer to the specific 
use case document or instructions. See also "Use 
Cases" on page 39. 


Send Logs 


% 

Launch the Send Logs wizard. See "Send Logs" on 
page 1040. 



Using the System Menu 


Keyboard shortcut: Alt+S 

See also "Keyboard Shortcuts (Hot Keys)" on page 66. 

Options on the System Menu 


Option 

Icon 

Resource 

Scheduled 

Jobs 

o 

Open the Job Scheduler. For more information, see "Job Scheduler" on 
page 996. 

Categorize 

Event 

[□] 

Select a non ArcSight event in the grid, then select System > Categorize 

Event menu option to apply a category. 
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Using Right-Click Context Menus 

Right-click context menus appear throughout the Console. This section describes common options 
available from right-click menus in different contexts. Context menus in different resources can offer 
other options specific to that resource. To understand all the options available for a particular resource, 
see the topic related to that resource. 

The Navigator panel presents individual resources and groups that help organize them. Here are the 
common options available from the right-click context menus in the Navigator panel. Not all options are 
available in all contexts; those that are not available will appear in grey text. The details of many of 
these options, such as creating a new resource, are described in the topics dedicated to that resource. 


Common Right-Click Menu Options on the Navigator Panel 


Option 

Applies to 

Description 

New 

<Resource> 

Resources 

Open the editor for the selected resource to allow you to create a new 

one. 

Edit 

<Resource> 

Resources 

Open the editor for the selected resource to allow you to edit an existing 

one. 

Delete 

<Resource> 

Resources 

Initiate a delete sequence for the selected resource. A confirmation 
step is required before the resource is permanently deleted. 

Integration 

Commands 

Resources 

and 

Channels 

From Console, link to other ArcSight applications and tools. For more 
information, see "Integration Commands " on page 623. 

Add to 
Package 

Resources 

Add the selected resource to an existing package. For more about 
packages, see "Managing Packages" on page 693. 

Show 

<Resource> 

Resources 

Display results gathered by the resource in the Viewer panel. 

Debug 

Event 

Priority 

Event 

Channel 

Display an event’s priority information, which includes scores for 
severity, relevance, model confidence, and asset criticality. For more 
information, see "Priority Calculations and Ratings" on page 1010. 

Graph View 

Resources 

Display a graphical view of the resource in relation to other associated 
resources. For more about resource graphs, see " Visualizing 

Resources" on page 676. 

New Group 

Groups and 
Resources 

Add a new group. The group’s attributes are defined in the Inspect/Edit 
panel. 

Edit Group 

Groups and 
Resources 

Edit an existing group through the Inspect/Edit panel. You can edit a 
variety of group attributes such as the name, description, owner, and so 
on. Available in all resources. 
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Common Right-Click Menu Options on the Navigator Panel, continued 


Option Applies to Description 

Delete 

Group 

Groups and 
Resources 

Delete a group. 

Rename 

Groups and 
Resources 

Change a group’s or single resource’s name directly on the Navigator 
pane without going through the group’s Inspect/Edit panel. 

Caution: Be careful about renaming a resource which has, or which will 
eventually have, dependent resources. Once you change the name, 
don’t re-use the old name for a new resource of the same type because 
the dependent resources may continue to refer to the new resource with 
the old name. An example of a dependent relationship is of a trend with 
queries that depend on that trend. 

Edit Access 

Control 

Groups and 
Resources 

Launch the Access Control Editor. For more about the Access Control 
Editor, see "Editing Access Control Lists (ACLs)" on page 189. 

Show 

Invalid 

Reason 

Groups and 
Resources 

For a group or resource shown as invalid (improperly constructed), 
display the explanation for the invalidity. 

Validate 
<group or 

resource> 

Groups and 
Resources 

Validate the group or resource that is shown to be invalid because the 
group or resource was not constructed properly. For more information, 

see " Validating Resources" on page 679. 

Lock <group 
or resource> 

Groups and 
Resources 

Prevent a group or resource from being edited by users other than the 
creator of the information. 

Unlock 
<group or 

resource> 

Groups and 
Resources 

Allow edits to the group or resource. 

Set 

deprecated 

flag 

Groups and 
Resources 

Set the Deprecated check box on the group or resource’s Attributes tab 
as seen in the Inspect/Edit panel. 

Remove 

deprecated 

flag 

Groups and 
Resources 

Remove flag (clear the Deprecated check box) from a previously- 
deprecated group or resource. 

Refresh 

All 

Updates the Console with the latest changes. 
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Common Right-Click Menu Options on the Navigator Panel, continued 


Option 

Applies to 

Description 

Knowledge 

Base 

Groups and 
Resources 

. Show Article-Display the associated Knowledge Base article for 
the resource or group. The associated article is displayed in the 
Viewer panel. 



. Associate With-Select a Knowledge Base article from the 

Knowledge Base Article Selector to be associated with the resource 
or group. 



. Association Help-Display the Help window for associating a 
resource with a knowledge base article. 



For more information about knowledge bases, see 'Knowledge Base 
Authoring" on page 665. 

Reference 

Pages 

Groups and 
Resources; 
certain 

events 

Display pointers to additional reference information, if such information 
is available for the group or resource. For more information, see 

"Reference Pages" on page 1017. 

Print 

<resource> 

Tree 


Print a selected resource’s tree view. For more about using this printing 
feature, see "Printing Navigation Tree Views of Resources" on page 68. 

Help 

Groups and 
Resources 

Launch Console Help topic for the selected resource. 


Using the Help Menu 


Keyboard shortcut: Alt+H 

See also "Keyboard Shortcuts (Hot Keys)" on the next page. 

Options on the Help Menu 


Option 

Icon 

Resource 

Shortcut 

Browse 

Documentation 

m 

Open an index page that offers pointers and links to other PDF- 
formatted documents concerning subjects such as 
SmartConnectors or upgrading. 

FI 

What’s New 


Open the Console Online Help’s “What’s New” topic. 


Console Guide 


Open the Console Online Help’s landing page with links to major 
topics. 
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Options on the Help Menu, continued 


Option 

Icon 

Resource 

Shortcut 

HP Software 
Support Online 


Open a browser window that displays the HP SSO login page, 
so you can sign in and access the case manager, downloads, 
communities, and other features. 


About 

m 

Show your ArcSight installation's legal notices and version 
information. 



Keyboard Shortcuts (Hot Keys) 

You can accomplish many actions in the Console by using the default keyboard shortcuts or hot keys, 
instead of menus and mouse navigation. The standard keyboard shortcuts and their associated actions 
is listed in the table below. 


Tip: You can view the default keyboard shortcut schemas and set up custom shortcuts on the Hot 
Key tab in the Console Preferences dialog (Console menu option Edit > Preferences, click 
Manage Hot Keys). For information on how to view or configure Console keyboard shortcuts, see 

"Managing Hot Keys" on page 89. 


Keyboard Shortcuts 


Task 

Keyboard 

Shortcut 

Description 

Annotate 

events 

Ctrl-T 

Select one or more events in any grid view, and use Ctrl-T keyboard 
command (as an alternative to the right-click Annotate Events menu 
option). See Annotating an Event" on page 278. 

Mark 

events 

reviewed 

Ctrl-R 

Select one or more events in any grid view, and use Ctrl-R keyboard 
command (as an alternative to right-click Mark as reviewed menu option). 

See "Collaborating on Events (Event Annotation)" on page 277. 

Copy 

Ctrl-C 

See "Using the Edit Menu" on page 59 

Cut 

Ctrl-X 

See "Using the Edit Menu" on page 59 

Delete 

Delete 

key 

See "Using the Edit Menu" on page 59 

Find 

Ctrl-F 

See "Using the Edit Menu" on page 59 

Open the 
Edit 

menu 

Alt-E 

See "Using the Edit Menu" on page 59 
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Keyboard Shortcuts, continued 


Task 

Keyboard 

Shortcut 

Description 

Paste 

Ctrl-V 

See "Using the Edit Menu" on page 59 

Redo 

Ctrl-Y 

Re-do any text edit operation. 

Select 

All 

Ctrl-A 

See "Using the Edit Menu" on page 59 

Undo 

Ctrl-Z 

Undo any text edit operation. 

Exit/shut 

down the 

Console 

Alt-F4 

See "Using the File Menu" on page 59 

Open the 
File 

menu 

Alt-F 

See "Using the File Menu" on page 59 

Open the 
View 

menu 

Alt-V 

See "Using the View Menu" on page 60 

Open the 
Window 

menu 

Alt-W 

See "Using the Window Menu" on page 61 

Open the 
Tools 

menu 

Alt-T 

See "Using the Tools Menu" on page 61 

Open the 

System 

menu 

Alt-S 

See "Using the System Menu" on page 62 

Open the 
Help 

menu 

Alt-H 

See "Using the Help Menu" on page 65 

Open the 

Help 

directly 

FI 

See "Using the Help Menu" on page 65 


Printing from the Console 

You can print Navigator trees for all resources. You can print resource definitions for rules, filters, and 
cases, as well as conditions from the "Common Conditions Editor (CCE)" on page 864 (for all 
resources with filters). You can print from all grid or channel views. 


HP ESM (6.9.1c) 


Page 67 of 1 1 06 


ArcSight Console User's Guide 
Chapter 2: Working in the Console 


Tip: You have the option to display a Print Preview dialog before you send your job to the printer. 
Enable the Print Preview dialog through the Console’s Preferences > Global Options menu. See 

"Changing Global Options" on page 79 for details. 


Printing Navigation Tree Views of Resources 

To print the Navigation tree for a resource: 

1. In the Navigator, choose the resource you want to print. 

2. Click items in the tree to expand or collapse folders in the tree depending on what you want to see 
in the printout. 

Tip: A printout of the Navigation tree for a resource will show the tree exactly as it is 
displayed on the Console. Folders that are expanded or collapsed on the Console will show 
the same way in the printout. To print the tree showing the items contained in a particular 
folder, expand the folder in the Navigation tree before selecting the Print option. 

3. Right-click any element in the Navigation tree for that resource and choose Print 
<ResourceName> Tree. (For example, Print Rule Tree.) Regardless of which item you select to 
access the right-click menu, the whole tree prints. 

4. The system displays a print preview that matches the resource's tree view on the Navigator panel. 

5. Click Print to bring up a standard Print dialog, and set these properties (destination printer, page 
layout to use, and so on). 

6. Click OK to print. 


Printing Resource Definitions 

You can print resource definitions for rules, filters, and cases. You can print a resource definition from 
the Navigator tree or from within the resource editor. 

To print a resource definition: 

1. In the Navigator, choose the type of resource you want to print. 

2. Right-click an instance of that resource (a rule, filter, or case), and choose Print 
<ResourceName> Definition (for example, Print Rule Definition). 

Or 
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Double-click a resource to open its editor in the Inspect/Edit panel, then right-click the topmost tab 
in the editor and choose Print <ResourceName> Definition. 

The system displays a print preview such as the preview of a Rules definition. 

Tip: From the Print Preview of a resource definition, you can export the displayed information 
into an HTML file or send the preview directly to a printer. 

3. Click Print to bring up a standard Print dialog, and set these properties (which printer, page layout, 
and soon). 

4. Click OK to print. 

To save the print preview as HTML: 

1 . On the Print Preview dialog, click the Expot to tool button. 

2. In the file browser, navigate to the location where you want to save the HTML file. 

3. Enter a name for the file in the File Name field. The File Type is Web Page (*.html) by default. 

4. Click Save. 


Printing Grid Views 

Active channels and active lists are examples of grid views. 

To print items from a grid view: 

1. Select one or more items in the grid. To select multiple, adjacent items, use the Shift key and 
mouse click, or click and drag. To select non-adjacent items, use the Alt key in combination with 
mouse clicks. 

2. Right-click and choose Print Selected Rows. 

The system displays a preview of the printout. 

Note: The format of a grid view printout is determined by the number of columns in the table 
and the configuration of the Column Flip Limit, which is set in the Console Preferences dialog. 
For more information, see "Using Column Flip Limit to Format Grid View Printouts " on 
page 71. 

3. Click Print to open the Print dialog, and set these properties (which printer, page layout, and so 
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on). 

4. Click OK to print. 


Printing Conditions Tree Summary 

You can print Conditions for any resource with filters. 

1 . Open the resource in the Editor. 

2. Click the Conditions tab. 

3. Right-click anywhere on the Edit tab in the "Common Conditions Editor (CCE)" on page 864. 

4. Choose Print Conditions Tree and Summary from the context menu. 


To print Conditions for any resource with filters, open the resource In the Editor, click the 
r~0 Conditions tab, and right-click anywhere on the Edit tab of the Common Conditions 
Editor. From the context menu, choose Print Conditions Tree and Summary. 
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The system displays a preview of the printout. For example, here is a Print Preview of the filter for 
a stock rule called Excessive Rule Recursion. 



■ £(***... M « Pag» I | <rfl ► >1 [jl | IM» | (A ■ ■ GP 


| Aetiitft Cmatok , « 

4JF Event conditions 
0 {} PiiesEngneWairangEvent 

bAwd 

• Device Event Category - /Piie/Wanvng/locp [tgnoie case) 

9 Type -Base 

( Device Event Category • /ttule/Vatning/Locp [ignore case] BND Type - Base MO Agent 
Type - arcsight_secut lty_nano<jec (ignore case] ) 


5. Click Print to bring up a standard Print dialog, and set these properties (destination printer, page 
layout to use, and so on). 


6. Click OK to print. 


Using Column Flip Limit to Format Grid View 
Printouts 

For printing tables from Grid Views (channels, lists, and so forth), you can configure the Column Flip 
Limit in the Console Preferences. 

Choose Edit > Preferences, and click Grid View Options. The default is 10 columns. 
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For printing tables from Grid Views (channels, lists, and so forth), you can configure the 
Column Flip Limit. (Choose Edit > Preferences and click Grid View Options.) A grid 
view will print as a table or with details per row, depending on the number of columns it 
f has and how the Column Flip Limit is configured. 



Grid views with the same or fewer columns than the Column Flip Limit print as a table, the same as that 
shown in the Ul on the Console grid view. 
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Grid views with the same or fewer columns than the Column Flip Umlt print 
as tables, in the same format shown in the UI on the Console grid views. 


- 


Grid views with more columns than the Column Flip Limit print details per-row rather in a normal table 
like that shown on the Console grid view. 
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Grid views with more columns than the Column Flip Limit print as detail per row. The 
bracketed section shown here represents the first row of this table. 


r 


b-< 


Instructions for setting the Column Flip Limit for grid views is also summarized in "Setting Grid Options 
for the Viewer Panel" on page 83. 


Error and Warning Messages 

Certain error messages, warnings, and notifications appear in a small dialog. To capture the error 
message and supporting data, click the Copy button or check Copy message to system clipboard to 
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copy the entire message to the Clipboard. You can then paste the error message in text fields in the 
Console, into the body of an e-mail message, or other applications. 



HP ESM (6.9.1c) 


Page 75 of 1106 



Chapter 3: Personalizing the Console 

The Console has displays and settings that you use to monitor an enterprise using various windows, 
panels, views, controls, and tool bars. You can change these displays and settings based on your 


monitoring needs. 

Changing the Console Display 76 

Changing User Preferences 77 

Saving and Sending Settings 97 


Changing the Console Display 


You can change the look and feel of the Console to better display information, focus on particular 
panels, or hide information not of interest. You can resize the Console, float or dock Console panels, 
apply translucency to a floating panel, and show or hide the menu bars, tool bars, and various displays. 


What do you want to do? Here's how: 

Resize the Console 

. To expand to the whole screen, click the Maximize icon at 
the top-right corner of the window. 

• To collapse the Console, click the Minimize button or drag 
the corners of the Console to resize it. 

. To resize any panels, drag and drop any panel dividers. 

Show or hide menu bars and 

tools 

Right-click the Menu bar area of the Console and use the 
context menu to enable (check) or disable (clear) each 
component. 

Show or hide the status bar 

Click the Status Bar button ( — )on the toolbar, or on the 

Window menu, choose Status Bar. 

Show or hide the Navigator panel 

Click the Navigator button ( ™ ) on the toolbar, or on the 

Window menu, choose Navigator Panel. 

Show or hide the Viewer panel 

Click the Viewer button ( " ) on the toolbar, or on the Window 
menu, choose Viewer Panel. 

Show or hide the Inspect/Edit 
panel 

Click the Inspector button ( ^ )on the toolbar, or on the 

Window menu, choose Inspect/Edit Panel. 
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What do you want to do? Here's how: 


Float a Console panel 

Click the Float/Dock button (-^-1) on the panel header, or right- 
click the panel header and choose Float Panel. 

You can apply translucency once a panel is floated. 

Apply translucency to a floating 
Console panel 

Float the panel first before applying translucency. Move the 
Translucency slider on the panel header. 

^Translucency slider (only available when a panel Is floating) 

Minimize/Maximize panel . . Dock panel 

si* 

Dock a Console panel 

Click the Float/Dock button (— J) on the panel header, or right- 
click the panel header and choose Dock Panel. 

Close a Console panel 

Click the Close button (X ) on the panel header, or right-click the 
panel header and choose Close Panel. 


Changing User Preferences 

You can change several Console characteristics to suit your security needs, working style, or personal 
preferences. You reach the Preferences dialog box through the Edit>Preferences menu command. 

Related topics include: 

• "Changing Your Password" on the next page 

• "Changing Other Users' Passwords" on the next page 

• "Setting Default Editors and Viewers" on the next page 

• "Changing Global Options" on page 79 

• "Setting Grid Options for the Viewer Panel" on page 83 

• "Customizing the Default Selections for Active Lists" on page 85 

• "Setting Date and Time Formats" on page 86 

• "Configuring Event Graphs" on page 87 

• "Setting Latitude and Longitude Options" on page 86 

• "Setting Notification Popups" on page 89 

• "Managing Hot Keys" on page 89 
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Changing Your Password 

Administrators create users and assign passwords. After logging in with your administrator-created 
password, you must change it for security reasons. 

Note: You can change your password only if your ArcSight installation is configured to use built-in 
password authentication. Contact your system administrator for instructions on how to change 
passwords on ArcSight systems that use RADIUS SecurlD or SSL authentication. 

Where: Edit > Preferences > Password 

1 . Enter your old password, new password, and confirm the new password. 

2. Click OK. 

By default, passwords require a minimum of 6 characters, can contain a maximum of 20 characters, 
and can contain numbers and/or letters. Ask your system administrator about any special requirements 
for your site. For information on password restrictions, see the "Managing Password Configuration" 
topic and its subtopics in the Administrator's Guide. 


Changing Other Users' Passwords 

Administrators may also reset user passwords; for example, if a user's original password has been 
compromised or you want to make users update their passwords. For information on how to do this, 

see "Resetting User Passwords" on page 186 in "Managing Users" on page 180. 


Setting Default Editors and Viewers 

You can set the default editors and viewers to use for text, HTML, and packet payloads. For example, 
you'll use the HTML editor when editing the Knowledge Base and the Web browser for reports. 

Where: Edit > Preferences > Programs 


Program Preferences 


Program 

Preference 

Value 

Preferred 

Text/HTML 

Editor 

Enter the complete path to your preferred text or HTML editor, or click the Browse 
button to locate the editor. 
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Program Preferences, continued 


Program 

Preference Value 

Preferred 

Web 

Browser 

Enter the complete path to the preferred Web browser or click Browse to locate the 
executable. Use your preferred Web browser to display HTML files such as custom 
view dashboards, reports, knowledge base articles, and soon. 

For an updated list of supported products, refer to the HP ArcSight ESM Support 

Matrix in Protect724 This matrix includes the supported Web browsers for your ESM 
version. 

Preferred 

Payload 

Viewer 

Enter the complete path to your preferred packet-payload viewer or click the Browse 
button to locate one. 

T ext to 

PCAP 

Converter 

Enter the complete path to your preferred packet-payload PCAP converter or click the 
Browse button to locate one. 


Changing Global Options 

You can make the Inspect/Edit panel open as a docked window inside, or as a floating window outside, 
the Console. You can do the same with all child windows as a class. 


Where: Edit > Preferences > Global Options 


r~ 

Preferences 


A 

Password 

o 

Programs 



Grid View Options 


El Global Options 
Font 

Launch editors in a floating window 
Allow multiple editors of the same type 
Allow multiple event inspectors 
Allow Bulk Delete 

Create independent floating windows 
Auto Relogin 

Use system defaults for dashboard background 

Show print preview dialog 

Set help dialog size (Width,Height) 

B Dialog Options 



Tahoma, Plain, 11 

□ 

m 

□ 

□ 

m 

□ 

o 

m 

950,650 
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Refer to the following table for available settings 

Global Options for Console 


Global 

Option 

Description 

Font 

Set global preference for font face, size, and style used throughout the Console, 
except on windows or views where you can set fonts specific to those Console 
elements. (For example, you can set fonts specific to Grid views as detailed in the 
next topic.) 

Click into the Font field to get the drop-down menu arrow. 

Tahoma, Plain, 11 ▼ 

Click the arrow to bring up the Fonts dialog. Set the Font, Size and Style. 

Launch editors 
in a floating 
window 

Open all editors in a floating window. If deselected, all editors appear in the 
Inspect/Edit panel. If you select this option, you can still float or dock the windows. 

Allow multiple 
editors of the 
same type 

Permit more than one resource editor to be opened simultaneously for a given 
resource type (for example, opening three instances of the Filter Editor at once). 
Enabling this option is very useful for analysts and persons implementing security 
solutions, but may inappropriate for operators or other persons who should have 
less-extensive editing access. 

Allow multiple 

event 

inspectors 

Display details of multiple events in their respective Event Inspector tabs on the 
Inspect/Edit panel. If de-selected (the default), you can only view event details one 
event at a time. 

For more information about the Event Inspector, see 'Inspecting and Editing" on 
page 48 and "Event Inspector" on page 988. 

Allow Bulk 

Delete 

Delete multiple resources without any dependency warnings. If de-selected, you 
can still delete multiple resources but you see a warning if there are any resource 
dependencies. 

Create 

independent 

floating 

windows 

Independently float new windows that are children of another window such as the 
Viewer panel. This is the default. When enabled, you can choose a window's name 

from the list at the Window>Floating command, or toolbar button (-i-l), to bring it 
forward. 

Auto Relogin 

Automatically log in again after logging out of the Console. 

Use system 
defaults for 

dashboard 

background 

When this option is selected, your system defaults are used for all Dashboard 
backgrounds. 

You can customize views for dashboards for display on the Web browser. See 

"Using Custom View Dashboards" on page 264. 
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Global Options for Console, continued 


Global 

Option Description 

Show print 
preview dialog 

Display a preview of the printable page when you choose to print a resource 
definition, for example, a rule definition. This preference is selected by default. 

Print preview options include Print, view each printable page (as applicable), and 
zoom in or out of the previewed page. For more information about printing, see 

"Printing from the Console" on page 67. 

Set Help 
dialog size 
(Width, Height) 

The Help display window defaults to width of 91 Ox length of 650 pixels. 

Set Help dialog size (Width, Height) 910,650 

You can specify a different default Help window display size here. To do this, enter 
a new window size (for example: 750,900), then press the Enter key. 

Note: Press Enter after setting the new display size, and then also click Apply or 

OK to save all preference settings. If you do not press Enter, the new window size 
setting cannot be saved even if you click Apply or OK. 


Note: For descriptions of settings in the Dialog Options section, see "Setting Dialog Options" 
below. 


Setting Dialog Options 

Purpose: Part of Global Options, Dialog Options is where you define the behavior of dialog boxes for 
system messages. System messages are classified into error and informational or warning messages. 

Where: Edit > Preferences > Global Options 
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Tip: If necessary, expand the Preferences window to expose the subtabs under Dialog Options. 

Refer to the following table for available settings. The information in the table applies to both error and 
informational or warning messages. 

Dialog Options for Console 


Dialog 

Option 

Description 

Show 

message in 
popup dialog 

Display message in a popup with an option to save the message to the clipboard. 
Selected by default. Clear the checkbox if if you don’t want system messages in a 
popup. 

Note: ESM also maintains system logs containing some audit information and details 
of any issues that occur. Refer to the ArcSight Command Center User Guide’s 
Administration and Configuration section and read the topic, “Log Retrieval.” 

Dialog Type: 


• Classic 

Display the dialog in the front center of the ArcSight Console. The dialog remains on 
this position until you click OK to dismiss it. 

• Animate 

d 

Animation defines the display duration, the dialog’s direction of movement when it 
appears, and the direction of movement after the dialog times out. 

• Location: Position the dialog on one of the nine available locations on the screen 
and keep it displayed for the duration specified in Dialog Timeout. 


. For Entrance Animation: 

Dialog Timeout: Display the message in the number of milliseconds. The default 
is 3,000. 

Effect: For Fly, move the dialog from Direction and stops at Location. For Zoom, 
start the dialog at a small size and resize to its optimal size when it reaches 
Location. For Fade, make the dialog gradually appear at Location (ignore 

Direction). 

Direction: Move the dialog from one of eight origination points on the edge of the 
screen to Location. Direction works only with Fly and Zoom effects. Direction for 
Entrance Animation can be different from Exit Animation’s. 
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Dialog Options for Console, continued 


Dialog 

Option 

Description 


. For Exit Animation: 

Effect: For Fly, move the dialog from Location to Direction. For Zoom, shrink the 
dialog as it reaches the destination. For Fade, make the dialog gradually 
disappear at the same location when Dialog Timeout is reached (Direction is 
ignored). 

Direction: When Dialog Timeout is reached and if Effect is not Fade, move the 
dialog from Location to one of eight origination points on the edge of the screen. 
Direction works only with Fly and Zoom effects. Exit Animation and Entrance 
Animation can have different settings for Direction. 


Setting Grid Options for the Viewer Panel 

These options are for data displayed on the viewer panel's grid. 

Where: Edit > Preferences > Grid View Options 

Refer to the following table for available settings: 

Grid View Options for Console 


Grid View 
Option 

Description 

Font 

Set global preference for font face, size, and style used in Grid views. 

Click into the Font field to get the drop-down menu arrow. 

Tahoma, Plain, 11 [3 

Click the arrow to bring up the Fonts dialog. Set the Font, Size and Style. 

Color text 
by priority in 
grid 

Apply distinguishing colors to the event rows in Viewer panel grid displays, based on 
their threat-priority levels. Note that this option can be overridden by the Color text 
by filter in grid option if conflicts occur. When these options are not selected, the 
text in grid rows defaults to black. 

Color text 
by filter in 
grid 

Apply distinguishing colors to the event rows in Viewer panel grid displays, based on 
the filters that selected them. You set these colors through the Configure button, 
described below. Note that this option, when selected, overrides the Color text by 
priority in grid option if conflicts occur. When these options are not selected, the 
text in grid rows defaults to black. 


Font 
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Grid View Options for Console, continued 


Grid View 
Option 

Description 

Pause the 

current 

channel on 

event 

selection 

By default, selecting an event pauses the event flow to avoid scrolling. Clear this 
checkbox to allow the flow to continue regardless of a selection. 

Do not 
prompt on 
verifying 
rule 

channel's 

timestamp 

change 

T oggles on or off the option to have the system generate a prompt when the 
timestamp changes on an active channel populated by correlation events. 

Do not 
prompt on 
channel 

restart 

T oggles on or off the option to have the system generate a prompt when an active 
channel is restarted. 

Check 

available 

database 
partitions on 
Active 

Channel 

start 

This option applies to Oracle-based ESM and does not apply to ESM with CORR- 
Engine. 

Print 

Column Flip 
Limit 

Determines the print format for Grid Views (channels, lists, and so forth). Grid views 
with the same or fewer columns than the Column Flip Limit print as a table, the same 
as is shown in the Ul on the Console grid view. Grid views with the more columns 
than the Column Flip Limit print details per row rather in a normal table like that shown 
on the Console grid view. 


The default setting for Column Flip Limit is "10" columns. (Tables with more than 10 
columns print details per row.) 


See also "Printing from the Console" on page 67. 

Filter 

Coloring 

Preferences 

Click Configure to assign identifying colors to as many as five filters in the Configure 
Filter Colors dialog box. 


See also additional information, "Customizing the Default Selections for Active Lists" on the next page 
for instructions on customizing the grid's right-click option, InActiveList. 

Note: For instructions on customizing the grid's right-click option, InActiveList, see "Customizing 
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the Default Selections for Active Lists" on the next page. 


Customizing the Default Selections for Active Lists 

If you are viewing events on an active channel, you have the ability to add selected events to existing 
active lists. By default, the Console's viewer panel enables you to browse to the resource locator so 
you can locate then select the desired list. These lists might be assigned to different list groups and 
might also be nested in a hierarchy. 

If adding events from the event grid to existing lists is a frequent task for you, you can configure the 
grid's right-click option to display your top three frequently-used lists so that these lists are immediately 
available for selection. 

Where: Edit > Preferences > Grid View Options 

1 . On the Grid View ActiveList Options area, click Configure. The ActiveLists resource selector is 
displayed. 

2. Expand a group to locate your first preferred active list. 

a. Select an active list and click Add. 

b. Repeat to add up to a total of three lists. 

c. Change a list's position by clicking the up or down arrow. 

d. Remove lists from the selection as required. 


Below is an example configuration for a selection of preferred active lists: 



Latitude & Longitude 


fiS 

F%/pnfr l^ranh 
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Below is the resulting default list selections when you open an event channel, right-click an event, and 
choose Active List > Add To: 


10:34:09 PDT 

QueryViewer 

10:34:09 PDT 

Start event: 

10:34:09 PDT 

QueryViewer 

10:34:09 PDT 

Start event: 

10:34:09 PDT 

Start event: 


Investigate 
Debug Filter... 
Debug Event Priority 


Active List 

— . — =*> 

Add To 

► 

Annotate Events. . . 

Ctrl+T 

Remove From ► 

Mark as reviewed 

Ctrl 4ft 



Select Events with Matching Cell 

Invert Selection 


rtTerm 

admin 

Event Graph 

jTerm 

admin 


3 Term 

admin 


f ents 

admin 




Other.. 


Note: This feature does not apply to the Remove From option from the grid view. If you are using 
the Remove From option, the Console displays an Active List selector dialog. You then navigate 
through the resource tree for active lists to select the list. 


Setting Date and Time Formats 

Purpose: Use the Date/Time option to choose a formatting style for the date and time strings displayed 
throughout the Console. You can also customize the details of any style you pick. 

Where: Edit > Preferences > Date & Time 

1 . Click the Formats buttons and choose a date/time style from the lists for Date & Time Format 
and Short Date & Time Format options. 

2. Select Express all times as GMT to universally show time values in GMT rather than local times. 

3. Click Apply to put your changes into effect and leave the Preferences dialog box open, or OK to 
save your changes and close the dialog box. 

If you want, you can customize the selected format string. Edit the Format string using the Java-style 
date options described in the Format Help window. 


Setting Latitude and Longitude Options 

Purpose: To define formats for latitude and longitude expressions in the Asset > Locations resource. 
Where: Edit > Preferences > Latitude & Longitude 

Choose from one of the available formats to express longitude and latitude. Below is an example 
configuration for latitude and longitude format preferences: 
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Latitude & Longitude Entry Format 
® DMS: Degree Minute Second (-49°30'00") 
O DM: Degree Minute (-49°30.0') 

O DD: Decimal Degree (-49.5000°) 

W\ Show compass direction (49.5000° S). 


The options for latitude and longitude format vary from more exact to less so. Latitude and longitude 
can be shown in degrees, minutes, and seconds; degrees and minutes; or decimal degrees only. 
Additionally, an indicator of compass direction for the specified location can be shown or hidden in the 
editor. 

To view the effects of your preference settings: 

1 . Choose Assets in the Navigator, click Locations 

2. Create new location or edit an existing one to open up the Location Editor. (See 'Managing 
Locations" on page 137.) 

Below is an example of how the Location Editor displays the preferred formats for Latitude and 
Longitude attributes: 



Configuring Event Graphs 

Purpose: You can modify the way graphs plot events, choosing to keep the source-event-target visual 
relationships compact; or to emphasize unique sources, targets; or both, in order to clarify the nature of 
attacks or situations. 

Where: Edit > Preferences > Event Graph 

Click the Value fields of the graph attributes to choose appropriate options: 

• Show Event Nodes: Choose a basis for visually expanding or aggregating event nodes, relative to 
their source and target node instances. 
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Choice Description 

Once 

per 

common 

event 

Graph only one instance of a given event node, regardless of the number of unique 
sources and targets that have it in common. For example, if sources 1 and 2 are 
directing the same event at targets 1 , 2, and 3, there may be visual instances for each 
source and target, but only one of the event node. 

Once 

per 

unique 

source 

Graph one instance of a given event node per unique source, regardless of the 
commonality of associated targets. For example, if sources 1 and 2 are directing the 
same event at targets 1 , 2, and 3, there are two visual instances of the event in 
support of the two distinct sources. 

Once 

per 

unique 

target 

Graph one instance of a given event node per unique target, regardless of the 
commonality of associated sources. For example, if sources 1 and 2 are directing the 
same event at targets 1 , 2, and 3, there are three visual instances of the event in 
support of the three distinct targets. 

Once 

per 

unique 

source- 

target 

pair 

Graph one instance of a given event node per unique source-target pair, regardless of 
the commonality of the events involved. For example, if sources 1 and 2 are directing 
a given event at targets 1 , 2, and 3; and as a chain, targets 1 , 2, and 3 are sourcing the 
same events on to targets 4, 5, and 6; then there are six visual instances of the event 
in support of six distinct targets. 


• Show Source/Target IP Addresses as: In cases where one source-event-target chains to 
another, you can choose to graph a source/target IP address as a single node, or to graph both the 
source and target instances of such an IP address. 


Choice Description 

Distinct 

nodes 

Visually plot both the source and target instances of a chained IP address. 

Simple nodes 

Visually plot a single node for an IP address that represents both source and 
target. 


• Source Node Identifier: Choose a different event attribute to use as the identifier for source 
nodes. The default attribute is Source Address. Note that while all attributes are available, not all 
are appropriate choices for this purpose. 

• Event Node Identifier: Choose a different event attribute to use as the identifierfor event nodes. 
The default attribute is ArcSight Category. Note that while all attributes are available, not all are 
appropriate choices for this purpose. 

• Target Node Identifier: Choose a different event attribute to use as the identifier for target nodes. 
The default attribute is Target Address. Note that while all attributes are available, not all are 
appropriate choices for this purpose. 
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• Graph Layout: Set the layout for all event graphs. 


Note: You can override this default layout setting when you are actually viewing an event 
graph. For more details, refer to the topic, "Event Graphs as an Investigation and Analysis 
Tool" in ESM 101. 


• Default Field Set: Choose from the ArcSight-provided field sets to supply the data points in the 
graph. The default field set is from /All Field Sets/ArcSight System/Event Field 
Sets/Active Channels/Standard. 


Setting Notification Popups 

Purpose: You can manage received notifications from within the Console. In the Preferences dialog 
box, you can set a severity threshold for notification popups and optionally play a sound when 
notifications arrive. 

Where: Edit > Preferences > Notifications 

For Severity threshold for notification popup, raise or lower the integer value to a priority value that 
is appropriate for the level at which you want to be alerted. 

Select Play a sound when a notification message is received to also emit a sound when the alert 
threshold is met. Browse to the file of your preferred audio alert. 


Managing Hot Keys 

The Console provides schemas for configuring keyboard shortcuts to common actions. These 
schemas come with the Console: 

• $default 

• Schemas for users 


Tip: Keep these reminders in mind: 

■ Schemas for users other than administrators are listed only for users who have set up 
custom shortcuts on this Console under their login. 

■ Custom shortcuts are available locally only. (See "Sharing Custom Shortcut Schemas" on 
page 96 for more information.) 


Note: If this Console does not use UTF-8 encoding, refer to the “Installing ArcSight Console” 
chapter of the ESMInstallation and Configuration Guide, and read the topic “Character Set 
Encoding” under “Installing the Console.” 
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Schemas for users are all based on the $default schema. That is, user schemas inherit all $default 
schema shortcuts. The $default schema. 

Where: Edit > Preferences > Manage Hot Keys 

Under “Available shortcut schemas”, the schema currently in use shows as “(active)” next to its name. 

You can define a keyboard shortcut for each command listed. Each command can have a different (or 
the same) keyboard shortcut depending on which schema is selected. 

Keyboard shortcuts are pre-defined for common commands. For example, the pre-defined keyboard 
shortcut for the Select All command (edit . selectAll) is Ctrl+A. 

Commands shown in red on Preferences dialog are not editable (for example, edit. delete, 

edit, redo, edit, cut, edit, copy, edit, paste, and so forth). The flyover tooltips on these commands 

also indicates they are not editable. 

There are many commands listed for which no shortcut is provided (for example, file. new. Report, 
file. new. Rule, navigator . reports, navigator .queryViewers, andsoforth). 

Adding Shortcuts for Frequently Used Resources 

This first task is not initiated on the Edit > Preferences dialog, but rather from various resource 
contexts in the Console. But the results of setting up shortcut keys on selected resources are shown 
on the Edit > Preferences > Managing Hot Keys dialog, as described below. 

Where: Navigator > <Resource> 

For example, choose Active Channels in the Navigator, and select an active channel such as /All 
Active Channels/ArcSight Administration/System Events Last Hour. 

To add a shortcut to a resource: 

1. Navigate to and select the resource for which you want to add a shortcut. 

2. Right-click and choose Manage Hot Keys from the context menu to bring up the shortcut setup 
dialog for this resource. 

3. Select the action you want to take with regard to the resource. Each resource has its own set of 
action, such as Edit <resource> and Show <resource>. 

4. In the Press new shortcut field: 

■ Optionally, click the button ( ) to get a drop-down menu where you can set the type of 

shortcut to add (mouse, tab, and so forth) and limits on keystrokes. (For example, if you want to 
set the shortcut on this channel to Ctrl+C+H, this requires first changing the keystroke limit from 
the default of 1, to 2 keystrokes.) 

■ Type the keyboard sequence you want to associate with the command. 
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If there the keyboard sequence you typed is not in use, a light gray “no conflicts” message is 
shown in the “Shortcuts currently used by” field. (For example, if you select navigator, rules, 
place the cursor in the “Press new shortcut field”, and type Ctrl+Alt+X, you get the “no conflicts” 
message.) 

If you type a sequence that is already used by another shortcut, you get a message in the 
“Shortcuts currently used by” field telling you which resource is currently using the shortcut. (For 
example, the default shortcut for navigator, rules is Ctrl+Alt+L. If you type Ctrl+Alt+R in the 
“Press new shortcut” field, you get a message noting that this sequence is already in use for 
navigator . reports.) 

If you continue with the assignment, you get a prompt asking whether you want to remove the 
shortcut from the other resource and add it to this new one. 

5. Click Assign to associate the shortcut with the resource. 



6. Click OK to save your changes and close the dialog. 

7. Confirm your setting by selecting Edit > Preferences > Managing Hot Keys dialog. 

8. On the list of commands, locate the resource for which you created the shortcut. Resources are 
shown by their URIs. 

9. Select the URI to display the associated shortcut, as in the following example: 
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Grid View Options 


Date &Time 


Latitude & Longitude 

ES 

Event Graph 

Notifications 



Show commands containing: 


a- 


Overridden commands only 


171 window. rightPane 
Q window. statusBar 
IT window. viewer 

|T| <Resource URI=7All Active Channels/ArcSight Administration/ESM/System Health/Even 

Help * 
admin, ast * 

^ file. new. Actor * 

4 \ 


Shortcuts for selected command 
Backspace 

Press new shortcut: 





Shortcuts currently used by: 


v 1 Help 


OK 

Cancel 

Apply 


Modifying a Custom Shortcut 

Shortcuts are associated with schemas based on the user. 

Where: Edit > Preferences > Manage Hot Keys 

To modify a custom shortcut: 

1 . On the Edit Preferences > Manage Hotkeys dialog, select a shortcut schema (the associated 
user) in which you want to modify shortcuts for commands. 

In this example, the schema forthe user called admin is selected. Note, however, that the 
schema selected for modifying a hot key need not be the “active” schema; as it happens to be in 
this example. 


Available shortcut schemas: 

$default 

Set Active 

admin (active) 


Samantha 

Darren 

Based on schema: ^default 



2. Select the command for which you want to modify the hot key. 
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You can filter for commands containing a given string (for example., navi gator to find all navigator 
commands). 


Show commands containing: 
navigator) 


□ Overridden commands only 


(P navigator. partitions 
l id| navigator. patternDiscovery 
fg| navigator, query Viewers 
.1^ navigator, reports 
,±j navigator. rules 
|T| navigator. stages 
(XI navigator. users 
[STI window. navigator 

Shortcuts for selected command: 


Ctrl+Alt+L 


3. In the Press new shortcut field: 


■ Optionally, click the button ( ) to get a drop-down menu where you can set the type of 

shortcut to add (mouse, tab, etc.) and limits on keystrokes. (The default keystroke limit is one. If 
you set it to 2 or 3, you have more combinations of keystrokes available to use for custom 
settings.) 

■ Type the keyboard sequence you want to associate with the command. 

If there the keyboard sequence you typed is not in use, a light gray “no conflicts” message is 
shown in the “Shortcuts currently used by” field. (For example, if you select navigator, rules, 
place the cursor in the “Press new shortcut field”, and type Ctrl+Alt+X, you get the “no conflicts” 
message.) 

If you type a sequence that is already used by another shortcut, you get a message in the 
“Shortcuts currently used by” field telling you which resource is currently using the shortcut. (For 
example, the default shortcut for navigator, rules is Ctrl+Alt+L. If you type Ctrl+Alt+R in the 
“Press new shortcut” field, you get a message noting that this sequence is already in use for 
navigator . reports.) 

If you continue with the assignment, you get a prompt asking whether you want to remove the 
shortcut from the other resource and add it to this new one. 

4. Click Assign to apply the new shortcut to the command. 


Tip: An asterisk is displayed next to commands for which the pre-defined shortcuts have 
been modified or overwritten. These customized commands are also displayed in blue text, 
rather than the usual black. 


HP ESM (6.9.1c) 


Page 93 of 1 1 06 




ArcSight Console User's Guide 
Chapter 3: Personalizing the Console 


navigator, query Viewers 
Q navigator. reports 
[2 navigator. rules * 

\\_\ navigator. stages 


5. Click Apply to save/apply the new shortcut, or click OK to save/apply the new shortcut and close 
the Preferences dialog. 

Modifying Custom Shortcuts for Resources 

You can modify a custom shortcut fora resource in either of these ways: 

• Directly from the right-click Manage Hot Keys dialog on that resource 

• From the Edit > Preferences > Manage Hot Keys dialog as described above in "Modifying a 
Custom Shortcut" on page 92. 

To remove a custom shortcut directly from the resource: 

1 . N avigate to and select the resource from which you want to remove the shortcut. 

2. With the appropriate resource selected, right-click and choose Manage Hot Keys from the 
context menu to bring up the shortcut setup dialog for this resource. 

3. Select the action (for example, Show or Edit) associated with the shortcut. 

The shortcut is shown in the “Press new shortcut” field. 

4. Modify it as needed. (See "Modifying a Custom Shortcut" on page 92.) 

5. Click OK to save your changes and close the dialog. 

Removing a Custom Shortcut 

Where: Edit > Preferences > Manage Hot Keys 

To remove a custom shortcut (key sequence) for any command: 

1 . Select the schema in which you want to modify the command. 

2. Select the command for which you want to modify the hot key. 

3. Select one of the customized commands (blue, with an asterisk). 
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03 navigator. queryViewers 
Q navigator, reports 
S navigator. rules * 

(2J navigator. stages 


The current key sequence associated with this command is shown in the Shortcuts for selected 
command field. 

4. Click the Remove button next to the “Shortcuts for selected command field”. 

The custom shortcut (key sequence) is removed, and replaced by the default key sequence (if 
there was one). 


Note: As soon as you remove the shortcut by clicking Remove, the changes are saved. 
Even if you click Cancel to close the Preferences dialog at this point, the shortcut is not 
saved for when you return. 


For example, if navigator .rules was modified to be associated with Ctrl+Alt+X, then when you 
remove this shortcut navigator .rules would again be associated with its default shortcut of 
Ctrl+Alt+L. 

Tip: Only custom shortcuts can be removed. Default shortcuts cannot be deleted. 

Removing Custom Shortcuts for Resources 

You can remove a custom shortcut fora resource in either of these ways: 

• Directly from the right-click Manage Hot Keys dialog on that resource 

• From the Edit > Preferences > Manage Hot Keys dialog as described above in "Removing a 
Custom Shortcut" on the previous page. 

To remove a custom shortcut directly from the resource: 

1 . N avigate to and select the resource from which you want to remove the shortcut. 

2. With the appropriate resource selected, right-click and choose Manage Hot Keys from the 
context menu to bring up the shortcut setup dialog for this resource. 

3. Select the action (e.g. , Show or Edit) associated with the shortcut. 

The shortcut, if any, is shown in the “Press new shortcut” field. 

4. Click Remove. 

5. Click OK or Cancel to close the dialog. 
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Note: As soon as you remove the shortcut by clicking Remove, the changes are saved. 
Even if you click Cancel to close the dialog at this point, the shortcut is not saved for when 
you return. 


Activating a New Shortcut Schema 

For more information on schemas, see the introduction to the shortcut key management at "Managing 
Hot Keys" on page 89. 

Where: Edit > Preferences > Manage Hot Keys 


To activate a new schema: 


1 . Select the schema you want to activate. 


Available shortcut schemas: 
^default 

admin (active) 

Samantha 

Darren 


Set Active 


2. Click Set Active. 


Tip: To get an enabled Set Active button, select a schema that is not currently applied. If you 
select a schema that is already active, the Set Active button is disabled. 


3. Click Apply to apply the new schema, or click OK to apply the new schema and close the 
Preferences dialog. 


Available shortcut schemas: 


$default 

admin 

Samantha (active) 

Darren 


Set Active 


Sharing Custom Shortcut Schemas 

Shortcut schemas are made available local to the Console only. That is, if schemas for several 
different users are configured on an Console running on a particular machine, those shortcut setups 
(schemas) are not available from the same user logins on other machines. 

For example, suppose you customize shortcuts for the user called admin, and two other users (for 
example, Samantha and Darren) on laptop A. All three of those users can log in and use their shortcuts 
on the Console running on laptop A. But if the same users log in on another machine (laptop B) and log 
in as admin, Samantha, or Darren, none of the custom shortcuts are available on laptop B (unless the 
same shortcuts were set up manually here also). 
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Saving and Sending Settings 

Purpose: The File Save and Save As options allow you to save Console settings (. ast files) locally. 
You can also save and load your own personal settings from the ArcSight Manager by using the File 
Save to Manager and File Load from Manager options. That way, for example, you can quickly 
restore Console settings when you move to an Console running on a different computer. 

Where: File menu 

To save your settings to a file: 

The Console saves your settings in the file you specified, on the local computer. Later, you can restore 
those settings to return the Console to that configuration, using the File>Open command. 

1. Choose File > Save or File > Save As. 

2. In the Save dialog box, navigate to a directory and enter a file name. 

3. Click Save. 

To save a file to the ArcSight Manager: 

Choose File > Save to Manager. 

Your Console settings are saved to a file (based on your login user name with the .ast extension) and 
maintained by the ArcSight Manager. 

To reload a file from the ArcSight Manager: 

On the File menu, choose Load from Manager. The Console loads the saved settings (.ast) file and 
asks whether you want to apply them to your current session. If you say Yes, the Console restarts and 
refreshes the display. 

To send a file by e-mail: 

1. Choose File > Send To. 

2. In the Send To dialog box, enterthe E-mail Address and click OK. 
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The following topics explain how to model your network and configure various aspects of the network 
model (assets, locations, zones, and so on), and how to manage customer accounts (if applicable). 


The Network Model 99 

Asset Model 105 

Populating the Network Model with Assets 107 

Populating the Network Model Using the Wizard 110 

Working with Assets, Locations, Zones, Networks, Vulnerabilities, and Categories 122 


ArcSight operates on a data model that enables you to build a business-oriented view of data derived 
from physical information systems. These distinctions help to clearly identify the events in your 
network, and provide more layers of detail to correlation. Modeling your network and its assets is part of 
setup and ongoing maintenance. 


Network Model 

5 Assets 


' -551 Asset Ranges 
Zones 

Networks 

• = Customers 


Asset Model 

^ Vulnerabilities 


|<NH Locations 

Asset categories 


The network model consists of the asset model and the network model, which, combined, facilitate 
building detailed correlation criteria. All of the Network Modeling resources, except Customers, are 
available as part of the Assets resource. 

• The The Network Model" on the next page is a representation of the nodes on your network and 
certain characteristics of the network itself. 

• The Asset Model" on page 105 describes attributes of the assets themselves for different 
purposes. 


Tip: For an overview and information about types of assets and the network model, refer to the 
“Network Model” chapter of ESM 1 01 . 
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The Network Model 

The network model is a representation of the nodes on your network and certain characteristics of the 
network itself. 

Before you can make an informed decision about what to do about a particular event, it helps to know 
something about the event's source and destination. Is the source a previous attacker, does it come 
from a hostile region of the world, or is it a trusted server that has become the source of an attack? 
Does the destination host critical applications, oris it a known server of forbidden services? 

This kind of information is captured by modeling the assets on your network and particular pertinent 
attributes of the network. The network model represents information for individual assets and whole 
zones. For critical assets on the protected network, network modeling captures important facts that 
help inform your decisions, such as: 

• All open ports 

• The operating system running on that host 

• Known vulnerabilities that might be exposed 

• Applications present 

• The missions these applications support and their criticality to your operation 

For less critical assets, such as a block of addresses on the Internet, it may be sufficient to know 
general information about them, such as the country in which those assets reside. 

The Network Model consists of the following resources. All of these resources, except Customers, are 
part of the Assets resource. 

• "Assets" on the next page represent individual nodes on the network, such as servers, routers, 
and laptops. 

• "Asset Ranges " on page 103 represent a set of network nodes addressable as a contiguous 
block of IP addresses. 

• "Zones" on page 103 represent portions of the network itself that are characterized by a 
contiguous block of addresses. 

• "Networks" on page 104 provide an additional distinction to differentiate between two private 
address spaces with overlapping IP address ranges. 

• Customers describe the internal or external cost centers or separate business units associated 
with networks, if applicable to your business environment. Customer tagging is a feature developed 
mainly to support Managed Security Service Provider (MSSP) environments, although it can also 
be used by private organizations to denote cost centers, internal groups, or subdivisions. The 
Customer designation keeps event traffic from multiple cost centers or business units separately 
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identified. A customer can be thought of as the "owner" of an event, rather than the source or target 
of an event. For more about Customers, see "Managing Customers" on page 138. 


Assets 

An asset is any network endpoint with an IP address, MAC address, host name, or external ID. For 
network modeling purposes, an asset is any endpoint you consider significant enough to characterize 
with details that make correlation and reporting more meaningful. 

Automatically-Created Assets 

The system automatically creates assets to model the network nodes that host ArcSight components 
(Managers, Consoles, and SmartConnectors). It also automatically creates assets forevents received 
from device endpoints on your network that do not already have assets modeled in ArcSight, and, if 
applicable, for assets arriving from scan reports sent by vulnerability scanners brought in by scanner 
SmartConnectors. This auto-asset creation feature could require configuration, depending on the 
assets reporting to the Manager. 

Depending on which method you use, assets are placed in the following locations: 

• Assets that are created through scanners are placed in the Resource tree under Assets/All 
Assets/<Zone Group>/<Zone>. 

• Assets that are auto-created by any other type of SmartConnectors are placed under Assets/All 
Assets/ArcSight System Administration/Devices. 

As a configuration option, you can also configure it to create assets for devices reporting through 
SmartConnectors. 

Auto-Created Assets for Components 


The system automatically creates assets to model the network nodes that host components. These 
assets do not contain vulnerability information, and are used for system administration. 


Component 

ArcSight 

Manager 

i? 


An asset for the Manager is added (if needed) every time the Manager 
service starts. 

Consoles 

Kl 


An asset is added for each Console the first time it connects with the 
Manager. 
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Component 

SmartConnectors 

* 

An asset is created for SmartConnectors only when the SmartConnector 
begins reporting base events from the device it represents. A Connector 
can be successfully added to the Manager, but until it starts reporting 
events from the device it represents, an asset cannot be created for it in 
the Asset Model. 

It creates assets differently for SmartConnectors in static zones and 
those in dynamic zones. For more about static and dynamic zones, see 

"Assets" on the previous page. 

For details about creating assets for SmartConnectors, see 'Creating 
Assets for SmartConnectors" on page 802. 


Devices Discovered by a Vulnerability Scanner 


The system also imports asset and vulnerability information from vulnerability scanner reports 
generated by products such as Nessus, FoundStone, and ISS Internet Scanner. Asset information is 
passed to the Manager via the scanner SmartConnector appropriate for your vulnerability scanner 
product based on IP address, MAC address, and host name. 

Updated vulnerability information is added to existing assets with matching identifiers. If a matching 
asset does not already exist, the system creates one. 

The system creates assets from vulnerability scan reports differently for dynamic and static zones. For 
more about dynamic and static zones, see "Assets" on the previous page. 

For details about how the system creates assets from vulnerability scans, see 'Creating Assets from a 
Vulnerability Scan Report" on page 800. 

Tip: Scanner reports list only information received through the scanner, whereas Asset Editors 
include the full list of both scanner data and vulnerability mappings stored in the system. 

Therefore, the Editors might show more or different information than the information from scanner 
reports. 

Devices Reporting Through SmartConnectors 

The administrator can configure asset creation for each device that reports to that SmartConnector 
based on IP address, MAC address, and host name when the Manager receives events from 
SmartConnectors. 

This feature makes it possible to add assets to the network model that may not be part of a regular 
asset scanning report without having to create them individually. Assets created using this method do 
not contain vulnerability information, although once they are added to the network model, they can be 
supplemented with matching data that arrives from a scanner report or that you add individually using 
the Console. 

Administrators can enable the option to create assets for network devices in the Manager Configuration 
Wizard. For more about running the Manager Configuration Wizard, see the topic “Reconfiguring 
ArcSight Manager” in th e Administrator’s Guide. 
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The system creates assets differently for devices in static zones and those in dynamic zones. For 
more about static and dynamic zones, see "Assets" on page 100. 

For details about how the system creates assets for devices reporting through SmartConnectors, see 

"Creating Assets for Network Devices" on page 805. 

For more about how to tune asset auto creation from the Console, refer to the Standard Content Guide 
— ArcSight System and ArcSight Administration. For information about an optional ArcSight 
Foundation, refer to the Standard Content Guide for that Foundation. ESM documentation is available 
on Protect 724 at (https://protect724.hp.com). 

It is also possible to customize how the asset auto-creation function works by modifying settings in the 
server, properties file. Foraddtional details, see "Asset Auto-Creation Advanced Configuration 
Options" on page 808. For more about working with properties files, see the topic “Managing and 
Changing Properties File Settings” in the Administrator’s Guide. 

For an overview of the ways by which the network model can be populated with assets, see 

"Populating the Network Model with Assets" on page 107. 

Asset Aging and Model Confidence 


Note: Only the assets belonging to the following categories are considered foraging: 
. / Site Asset Categories/Scanned/Open Ports 
. / Site Asset Categories/Scanned Vulnerabilities 


The asset aging function keeps track of the last time an asset was scanned, and incrementally 
diminishes an asset’s model confidence in the priority formula over time to zero if it hasn’t been 
scanned in more than 120 days. (You can configure the time range.) 

An asset’s age is tracked by default. You can opt to automatically disable an asset that exceeds the 
configured age limit. This process is described in “Asset Aging” in the Administrator’s Guide. 

Note: Resolving zone information on disabled assets 

To ensure that events get sorted properly, the system continues to resolve an asset’s zone 
information and add it to the event, even when the asset is inactive (disabled). 


To see why an asset was disabled: 

1. In the Navigator panel, goto the Assets tab in the Assets tree. The disabled asset appears with a 
grey icon. 

2. Right-click the disabled asset and select Show Diasbled Reason. The message displayed 
indicates how many days it has been since the asset’s last scan. 
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To re-enable a disabled asset: 

If an asset has been automatically disabled, you can manually re-enable it. In the Navigator panel in the 
Assets tab of the Assets tree, right-click the disabled icon and select Enable. 


Asset Ranges 

An asset range is a group of network assets that use a contiguous block of IP addresses. An asset 
range is useful if you have many network nodes that would be impractical to track individually, or that 
may come and go from the network, such as desktop PCs and laptops. 

When a SmartConnector processes an event, the Manager, or the correlation engine, its endpoints are 
identified either as a single asset or as an asset belonging to an asset range. A reference to the asset or 
asset range identifier is populated in the event schema. 


Zones 

Zones are ArcSight resources that represent afunctional part of the network with contiguous IP 
addresses, such as DMZ, VPN, wireless LAN, or DHCP. 

Every asset or address range is associated with a zone. ArcSight is configured with the standard global 
IP address ranges represented as zones, so if your network uses only these public IP addresses, 
ArcSight can resolve them without setting up additional zones. 

Zone groups are folders in which one or more zone resource is stored. Although the assets contained in 
a zone do not inherit the properties of a zone, the zone groups are hierarchical, which means that 
properties assigned to a zone group apply to all the zones contained within that group. 

The following zones are standard: 
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Create your own zones if you have overlapping private networks. Private networks usually model a 
functional group within your network or a subnet, such as a wireless LAN , the engineering network, the 
VPN, or the DMZ. 
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For details about using the zone editor, see "Managing Zones" on page 135. 

Dynamic and Static Zones 

The asset auto-creation feature (see Asset Auto-Creation" on page 800) relies on zones that are 
already in place before device discovery occurs, either in customer-created zones, or in default zones. 
When you add a SmartConnector, you assign one or more existing Networks to that Connector. All 
assets reported by that Connector are then associated with that Network and the zones the Network 
represents. 

The system differentiates dynamic and static zones to classify the represented asset types. 

Static Zones 

Devices in a static zone use static (constant) IP addresses. These are devices that stay on the 
network and use the same IP address for all traffic. In order to identify assets in static zones, the 
assets must have either a unique IP address, a unique host name, or both. 

Dynamic Zones 

Devices in a dynamic zone use dynamic addressing (such as DHCP). Dynamic zones represent 
assets that come and go from the network, such as laptops. By default, the system requires either a 
MAC address or a host name to identify assets in dynamic zones. The system first looks for a MAC 
address; if not available, the host name is used. 

Caution: Classifying Zones as Static or Dynamic 

It is important that zones are classified properly as dynamic or static. 

If a zone is classified as static, but hosts assets that come and go from the network, the system 
may not be able to update the network model properly. For example: 

. The updated network might have duplicate and disabled assets. 

. Other information, such as vulnerability information and open ports, might not be updated 
properly. 


Static Assets in Dynamic Zones 

If an asset is classified as static, but belongs to a dynamic zone, the system treats the asset as if it 
was in a static zone. See the description and links above for how the asset auto-creation feature works 
for static zones. 


Networks 

Networks are ArcSight resources that are used to differentiate between zones whose IP ranges 
overlap, such as when branch locations assign the same private address spaces to resources used in 
other corporate locations. 
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The system comes configured with two standard networks: Local and Global. The Local network is 
where you add your custom zones. Zone mappings in the Local network override the default zone 
mappings provided by the Global network. 

The Global network provides default zone mapping if no local networks are defined, and automatically 
provides the correct addressing information to ArcSight SmartConnectors when they are installed. 

Custom Networks are also used to compartmentalize Customer designations in MSSP situations. 

When you associate a customer or a location with a network in the Network Editor, zones 
automatically access this information. (See Managing Networks" on page 136.) 


Asset Model 

The resources that make up the asset model are part of the overall network modeling process. The 
asset model resources describe attributes of the assets themselves for different purposes. Locations 
and Vulnerabilities are part of the Assets resource. 

Topics include: 

• "Locations" below 

• "Vulnerabilities" below 

• "Asset Categories" on the next page 


Locations 

The system provides a location database that maps an IP address to the owning body for the block of 
IP addresses to which it belongs. Your organization may have finer-grained detail, such as the physical 
location of all of your networks or networks outside your control, or corrections to the database that the 
system supplies. The Location resource is the way you can override the default location mappings with 
location information relevant to your network. 

Location is an attribute you can set if the asset you are modeling resides in a geographic location that 
differs from the location set by the mapping database that associates IP addresses with location 
information. 


Vulnerabilities 

The asset vulnerabilities on your network are normally discovered and updated by scanners. The most 
common manual change to a vulnerability resource is to associate it with a Knowledge Base article. 
You can associate assets with vulnerabilities from either the Vulnerabilities or Assets editors. (See 
"Managing Vulnerabilities" on page 128 for information on the vulnerability editor.) 
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Asset Categories 

Asset categories are ArcSight resources that describe the properties of an asset in terms of how it is 
used. Asset categories are one of the key ways to add differentiation, relevance, and context to the 
millions of events passing through your network. 

Asset categories establish identity, ownership, and criticality of the assets on your network. The root of 
a particular category (for example, Criticality in the group 

/All Asset Categories/System Asset Categories/Criticality) defines the property itself, 
whereas the members of the category (for example, the criticality levels Very High, High, and soon) 
define the possible values for that property. 

You can create new asset categories as a right-click option in the navigation panel, and associate 
categories with assets using the Asset Editor. Most methods for populating the network model 
described in "Populating the Network Model with Assets" on the next page include adding asset 
categories to your assets, asset ranges, asset groups, and zones. 

Asset Categories Assigned to Assets, Asset Ranges, and 
Asset Groups 

Categories assigned to individual assets and asset ranges apply only to those individual assets. This is 
the most granular level to which you can apply asset categories. If an asset falls into an asset range, it 
inherits the asset categories assigned to the asset range. 

Asset Groups are a folder containing one or more Asset resources. Asset Groups are hierarchical, so 
properties assigned to an Asset Group apply to all the assets in that group. 

Categories assigned to asset groups apply to all assets and asset ranges in that group. Individual 
assets and asset categories within a group inherit the categories assigned to the group, if any, in 
addition to the asset categories assigned to them individually. 

Asset Categories Assigned to Zones 

Categories assigned to zones describe the network itself, not assets within it. Use this to categorize 
traffic on a network where the assets are not constant, such as a wireless or VPN network. For 
example, categories might describe whether the network is wireless, encrypted, ora VPN. You may be 
characterizing the network or the traffic on the network (wireless describes the network; encrypted 
describes the traffic) rather than the assets. Asset categories assigned to zones are not passed on to 
assets contained within that zone. 

For more about asset modeling, see the topic “Asset Model” in ESM 101. For instructions about how to 
set asset categories, see the following topics: 

• "Populating the Network Model with Assets" on the next page 

• "Populating the Network Model Using the Wizard" on page 110 

• "Managing Asset Categories" on page 1 36. 
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Caution: Always exercise caution when deleting or changing existing asset categories. 
Changing an asset category can break existing conditions that use that category. As a best 
practice, create new categories in new groups. 


Populating the Network Model with Assets 

There are several ways to populate the network model with the assets that represent your monitored 
network. Most enterprises use a combination of these methods: 


Caution: Do not import assets with an ampersand (&) in the name. The ArcSight resource 
framework does not support that character in asset and zone names. 

When importing assets using a scanner import connector, the automatically-created asset group 
name is based on the new asset's zone name. If that name already exists in the same folder, then 
instead of importing the asset there, as you would expect, the connector imports the asset into 
either a standard System Asset Group or a higher level custom Asset Group to prevent a folder 
name conflict. 

Ensure that if you manually create asset range names, they do not match the Zone names of 
assets that you intend to import using an asset scanner connector. 


Console-Based Methods 

The Console provides two ways to populate the network model: 

• Manually configuring individual network modeling resources 

• Using a Network Modeling wizard 
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Console-based methods 


All the tools for modeling the network are in the Console. The Network Modeling Wizard provides a 
quick way to add basic assets to your Network Model at setup time. 

Manually, Using Network Modeling Resources 

Set parameters for every asset using the network modeling resources (Assets, Asset Ranges, Zones, 
Networks, and Customers) and asset modeling resources (Asset Categories, Vulnerabilities, and 
Locations). 

Use these tools in conjunction with the other batch-loading methods that only offer limited distinctions. 
As long as primary identifiers, such as IP address, host name, and MAC address, remain the same, the 
automatic update methods only update fields with new information so the Network Model remains 
stable. 

See the topic “ArcSight Network Model” in ESM 101. 

In a Batch Using the Network Modeling Wizard 

The Console provides a Network Modeling wizard as a set-up and configuration tool (menu option 
Tools > Network Model). The Network Modeling wizard enables you to load Assets, Asset Ranges, 
and Zones along with Asset Category information. If you also add a vulnerability scanner as described 

in "SmartConnector-Based Methods" on the next page, the existing assets in the model are updated 
with the vulnerability scan report data. 

The Network Modeling Wizard is flexible. It can take output from any device type in CSV format. The 
CSV file can include as many new or pre-existing asset categories as are relevant to the devices 
without having to add asset category information one by one later using the Asset Category resource in 
the Console. This tool is appropriate for initial set-up and configuration, not as a method for maintaining 
the network model. 
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For more about the Network Modeling Wizard, see "Populating the Network Model Using the Wizard" 
on the next page. 


SmartConnector-Based Methods 

These methods enable batch loading and automatic ongoing maintenance. Both methods offer limited 
distinctions. 
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Using the Asset Model Import FlexConnector 

The system offers an Asset Model Import FlexConnector that reads Asset, Location, and Asset 
Category information from a CSV file, which it then sends to the Manager. New assets are added and 
existing assets in the model are updated . 

This method does not create asset ranges, and assumes that Zones, Networks, customers, and 
locations are already created. 

For more about the Asset Import FlexConnector, see the Developer's Guide for Asset Model Import 
FlexConnector. 

Automatically From a Vulnerability Scanner Report 

Set up a scanner SmartConnector (such as FoundStone, ISS Internet Scanner, or Nessus) to use the 
output of a vulnerability scan to convert device information into Assets along with Vulnerability 
information, and basic Asset Categories, such as operating system and open ports. The scanner 
connector that corresponds with your vulnerability scanning product sets up a directory that to regularly 
scan for updated reports. It then converts the scanner report output into internal scanner meta-events, 
which the Manager converts into Assets, open port and OS Asset Categories, and Vulnerabilities. For 
more about the architecture of how this works, see the topic “How Vulnerability Scans Populate and 
Update the Network Model” in ESM 101. 

You can also set the scanner SmartConnector to save network model data as a CSV file, which you 
can then upload into the Manager using the Files resource during your initial network model setup. 
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Data derived from vulnerability scanner reports does not create asset ranges, and assumes that Zones 
and Networks are already created. Once scanner data is imported, you can add Customer and Location 
distinctions to the assets individually. For details about how the system adds updated vulnerability 
information arriving from a new scanner report, see "Reporting on Output from Vulnerability Scanners" 
on page 134. 

This method is appropriate for updating and maintaining your network model. Subsequent scans update 
the basic Asset, Asset Category, and Vulnerability information without overwriting the other network 
modeling settings you add individually. 

For more information about the scanner SmartConnector for your vulnerability scanning product, see 
the SmartConnector Configuration Guide that corresponds with your vulnerability scanning equipment. 


ArcSight-Assisted Methods 

HP ArcSight Professional Services can help you populate the Network Model from an existing 
configuration database. 
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As an Archive File From an Existing Configuration Database 

Many enterprise networks have third-party systems that already model the properties of the assets on 
your network. With the help of HP ArcSight Professional Services, you can export these network 
models, translate the format into the schema using an ArcSight resource-generating utility, and import it 
to the Manager as a resource archive with the help of ArcSight Professional Services. 

The tools HP ArcSight Professional Services use can generate any type of resource, so using this 
method, you can have a fully populated network model without having to do any individual 
configuration. 


Populating the Network Model Using the Wizard 

The Network Model wizard (menu option Tools > Network Model) makes it possible to quickly 
populate the network model by batch loading asset and zone information from Comma Separated 
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Values (CSV) files. 

Caution: Before using the Network Model Wizard ... 

• Make sure you have Administrator privileges. 

• Do not import assets with an ampersand (&) in the name. The ArcSight resource framework 
does not support that character in asset and zone names. 


The following data can be imported into the Managerfrom CSV files: 

• Zones define functional parts of a network, such as a wireless LAN, an engineering network, a VPN 
ora DMZ. For the column types of the zones CSV file, see 'Zones CSV File Format" on page 115. 

• Assets are individual nodes on the network, such as servers and routers. For the column types of 
the assets CSV file, see "Assets CSV File Format" on page 116. 

• Asset ranges are sets of network nodes addressable as a contiguous block of IP addresses. They 
are useful when you have many network nodes that are impractical to track individually, or that may 
come and go from the network, such as laptops. Asset ranges should be a subset of the IP address 
ranges defined for zones. For the column types of the asset ranges CSV file, see "Asset Ranges 
CSV File Format" on page 119. 

You can import combinations of input CSV files at one time using the Network Model wizard but only 
one file of each type can be imported during a single import. For example, if you only have assets to 
import, you can import only an assets CSV file. If you have a zones CSV file, an assets CSV file, and 
an asset ranges CSV file to import, you can import all three at once using the Network Model wizard. 


Specifying CSV Column Types 

Each CSV file type defines a set of required columns and optional columns. The CSV file can contain 
columns that are not used by the Network Model wizard. Columns can be in any order but the Network 
Model wizard requires that you specify their types so the wizard knows how to interpret them. Specify 
the column type using one of the following methods: 

• Specify the column type in the header of the CSV file itself, prior to launching the Network Model 
wizard. For instructions, see "Specify the Column Type Using a Header" on the next page. 

• While running the Network Model wizard, assign the appropriate column type for each column in the 
Select Column Headers panel. For instructions, see "Assign the Column Type in the Wizard" on 
page 113. 

Columns not used by the Network Model wizard must be assigned the column type Ignore. Only 
columns of type Ignore and Category URI can be repeated in the CSV file. For all other column types, 
only one instance of the column type can be assigned in the file. If duplicate columns of a non- 
repeatable column type exist in the CSV file, one of the columns should be assigned the Ignore 
column type. In a zones CSV file for example, if two name columns appear in the CSV file, assign one 
to the Name column type and the other to the Ignore column type. 
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Specify the Column Type Using a Header 

In this method, you specify the column type in the first row (header) of the CSV file itself before 
importing the CSV file using the wizard. The column name in the header must match the column type 
specified in: 

• "Zones CSV File Format" on page 115 

• "Assets CSV File Format" on page 116 

• "Asset Ranges CSV File Format" on page 119 

As shown in following sample zones CSV file, the column names in the first row match the column 
types specified in "Zones CSV File Format" on page 1 1 5. The wizard determines how to interpret each 
column using the column type specified in the header. 

Name, Start Address, End Address, Dynamic , Category URI 

DMZ Public , <Starting-IP-address>, <Ending-IP-address> , FALSE, 

DMZ Corporate, <Starting-IP-address> ,<Ending-IP-address> , FALSE, /All Asset 
Categories/Site Asset Categories/Business Impact Analysis/Network Domains/Email/ 

LAN Corporate, <Starting-IP-address> ,<Ending-IP-address> , TRUE, 

When this zone’s CSV file is imported into the wizard, the wizard correctly matches the column types 
because you specified them in the header. 
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Specifying Multiple Categories in one Category Column 

When manually creating a CSV file for importing Zones, assets or Asset Ranges, you can specify more 
than one category to appear in the same category column: 

Column Type - Importing Zones CSV File using Header Row: 

Name, Start Address, End Address, Dynamic, Category URI, Category URI 

HRZone, <Starting-IP-address>, <Ending-IP-address> , FALSE, /All Asset 
Categories/ArcSight System Administration/Databases, /All Asset Categories/ArcSight 
System Administration/Window Servers 

ITZone, <Starting-IP-address>, <Ending-IP-address> , FALSE, /All Asset 
Categories/ArcSight System Administration/Databases, /All Asset Categories/ArcSight 
System Administration/Window Servers 

Importing Zones CSV file without Header row is the same, except without the first line. 

The above is an example of importing zones, but using multiple categories works the same way for 
importing assets and asset ranges. 

Assign the Column Type in the Wizard 

In this method, you assign the column type in the Select Column Headers panels while running the 
wizard. When the following sample zones CSV file (which does not contain a header row) is imported, 
the wizard does not know how to interpret all the columns as shown below. 

DMZ Public, <Start±ng-IP-address> , <Ending-IP-address> , FALSE, 

DMZ Corporate, <Starting-IP-address>, < Ending- IP-address > , FALSE, /All Asset 
Categories/Site Asset Categories/Business Impact Analysis/Network Domains/Email/ 

LAN Corporate, <Starting-IP-address> ,<Ending-IP-address> , TRUE, 
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< Configure Network Model 


□ y 


Introduction 

Prerequisites 

Import zones 

Import assets 

Summary 

Complete 


Select Column Headers for the Zone Data 

Click each column heading and select the appropriate column type from the 
drop-down list- Only the first 15 rows of data are displayed but all the data will 
be imported- Each column must be assigned a column type 
For a description of each of the column headings, click the Help (?) button 


Name 
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DMZ Corporate 

This zone de... 

192. 9*. 2.0 
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/All Asset Ca... 

LAN Corporate 
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By default, when this sample data is imported into the wizard, the second column is automatically 
assigned to the Select column type but it is a description of the zone and should be assigned the 
Ignore column type. To change the column type, click the title of the column, and from the drop-down 
menu select the appropriate column type from the list of options. 


< Configure Network Model 




Introduction 


Select Column Headers for the Zone Data 


Prerequisites 

Import zones 

Import assets 


Click each column heading and select the appropriate column type from the 
drop-down list. Only the first 15 rows of data are displayed but all the data will 
be imported. Each column must be assigned a column type. 

For a description of each of the column headings, click the Help (?) button 
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Zones CSV File Format 

Zones define functional parts of a network, such as a wireless LAN, private networks, or subnets. For 
example, the following network areas could be identified as a zone: the VPN, the DMZ, or an 
engineering network. Zones are identified with a contiguous block of addresses. 

Caution: Each zone should specify a unique range of IP addresses. The IP addresses specified 
by zones should not overlap. If you import a zone that overlaps with a zone already specified on 
the ArcSight Manager and the new zone has a different name than the existing zone, the following 
occurs: 

• The new zone is created. 

• The existing zone is invalid and is displayed with the broken zone icon in the Console. 


You can define a set of zones in ESM by batch loading zone definitions from a zones CSV file. Zones 
CSV files contain the columns listed in the table below. When a zones CSV file is selected for import, 
by default only the first fifteen rows of data are displayed in Select Column Headers for the Zone Data 
panel. However, when the data is imported into the ArcSight Manager, all the rows are imported. For 
more information, see "Increasing the Number of Displayed Rows" on page 120. 

For the wizard to determine how to process the imported data, the type of each column must be 
specified. For more information, see Specifying CSV Column Types" on page 111. 

When the Next button is clicked in the Summary of Data to Import panel, the zone data is imported into 
the ArcSight Manager. The new zones are created in the /All Zones/Site Zones group. For example, 
if a zone called DMZPublic was specified in the imported zones CSV file, a new zone is created at the 
following URI: /All Zones/Site Zones/DMZ Public. The new zones are assigned to the default 
network called Local. 


Zone CSV File Columns 


Column 

Type 

Description 

Required 

Column? 

Repeatable 

Column? 

Example Value 

Name 

A descriptive name for the 
zone such as the purpose or 
geographical location. 

Yes 

No 

DMZ Public 

Start 

Address 

The start of the range of IP 
addresses that defines the 

zone. 

Yes 

No 

192.0.2.0 

End 

Address 

The end of the range of IP 
addresses that defines the 

zone. 

Yes 

No 

192.0.2.24 
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Zone CSV File Columns, continued 


Column 

Type 

Description 

Required 

Column? 

Repeatable 

Column? 

Example Value 

Dynamic 

Determines whether the 

devices defined in the zone 
use dynamic addressing: 

• true — devices in the zone 
use dynamic addressing 
(DHCP) 

. false — devices in the zone 
use static IP addressing 

No 

Default is 

false 

No 

false 

Category 

URI 

The asset category to assign 
to zone. 

NOTE: The wizard does not 
create new categories. For the 
category to be assigned, it 
must already exist. 

No 

Yes 

This column can 
be repeated 
because a zone 

can be 

categorized into 
more than one 
asset category. 

/All Asset 
Categories/Site 

Asset 

Categories/Business 

Impact 

Analysis/Business 

Role/Service/Web/ 

Ignore 

The column contains data that 
is not used by the Network 
Model wizard when creating 
zones. For example, this 
column could contain a 
description of the zone. 

No 

Yes 

This zone defines the 
public subnetwork of 
the DMZ. 


An Example of a Zones CSV File 

Here is an example of the Zones CSV file: 

HRZoneAj <Starting-IP-address> , <Ending-IP-address>, FALSE , /All Asset 
Categories/ArcSight System Administration/Databases/ 

IT Zone, <Starting-IP-address> , <Ending-IP-address> , TRUE , /All Asset 
Categories/ArcSight System Administration/Databases/ 


Assets CSV File Format 

Assets represent individual nodes on the network, such as servers and routers. For more information, 

see The Network Model" on page 99. 

You can define a set of assets in ESM by batch loading asset definitions from an Assets CSV file. 
Asset CSV files contain the columns listed in the table, below. 
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When an assets CSV file is selected for import, by default only the first fifteen rows of data are 
displayed in Select Column Headers for the Asset Data panel. However, when the data is imported into 
the ArcSight Manager, all the rows are imported. For more information, see 'Increasing the Number of 
Displayed Rows" on page 120. 

For the wizard to determine how to process the imported data, the type of each column must be 
specified. For more information, see "Specifying CSV Column Types" on page 111. 

When the Next button is clicked in the Summary of Data to Import panel, the asset data is imported into 
the ArcSight Manager. The new assets are created in the /All Assets/Site Assets group. For 
example, if an asset called DMZCorpEmailServer was specified in the imported assets CSV file, a new 
asset is created at the following URI: /All Assets/Site Assets/DMZCorpEmailServer. When 
imported, the new assets are auto-zoned. For more information, see "Auto-Zoning of Imported Assets" 
on page 122. 


Assets CSV File Columns 


Column 

Type 

Description 

Required 

Column? 

Repeatable 

Column? 

Example Value 

Name 

A descriptive name for the 
asset. This name must be 
unique. It is recommended to 
specify a name. However, if a 
name is not specified, a 
unique name is generated 
using the other fields. 

No 

No 

DMZ Corp Email 

Server 1 

Host 

Name 

The host name of the network 
device represented by the 
asset. 

No 

No 

dmz_corp_emll 

IP 

Address 

The IP address of the network 
device represented by the 
asset. 

NOTE: If no value is specified 
for this column (, ,)the asset 
is created with an IP address 

of 0.0. 0.0. 

Yes 

No 

192.0.2.0 

MAC 

Address 

The MAC address of the 
network device represented 
by the asset. The MAC 
address is made up of six 
groups of two hexadecimal 
digits can be separated by 
colons (: ) or hyphens (-). 

No 

No 

21-4D-5B-2A-3B-FF 
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Assets CSV File Columns, continued 


Column Required Repeatable 

Type Description Column? Column? Example Value 

Static 

Addressing 

Defines if the network device 
is statically addressed even 
though the IP address of the 
asset is in a dynamic zone: 

. true — asset uses static IP 
addressing 

. false — device uses 
dynamic addressing 
(DHCP) 

For more information, see 
"Static Addressing in a 
Dynamic Zone" below. 

No 

Default is 

false 

No 

false 

Category 

URI 

The asset category to assign 
to network device. 

NOTE: The wizard does not 
create new categories. For 
the category to be assigned, it 
must already exist. 

No 

Yes 

This column 
can be repeated 
because a 

network device 

can be 

categorized into 
more than one 
asset category. 

/All Asset 
Categories/Site 

Asset 

Categories/Business 

Impact 

Analysis/Network 

Domains/Email/ 

Ignore 

The column contains data that 
is not used by the Network 
Model wizard when creating 
assets. For example, this 
column could contain a 
description of the asset. 

No 

Yes 

This asset defines the 
Corporate Email 

Server in the DMZ. 


An Example of an Assets CSV File 

Here is an example of the Assets CSV file: 

Lab Test machine, lab-111 , <IP-address>, <Mac-address>,true , /All Asset 
Categories/ArcSight System Administration/Consoles/, /All Asset Categories/ArcSight 
System Administration/Databases/ 

Static Addressing in a Dynamic Zone 

Set the Static Addressing column to true if the network device is statically addressed even though 
the IP address of the asset is in a dynamic zone. For example, set this column to true, for the following 
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conditions: 

• A dynamic zone is defined with an IP range, for example: 192.0.2.0-192.0.2.12. 

• A network device with an IP address such as 192.0.2.5 is statically addressed even though it is 
defined in the dynamic zone. 

For more about static and dynamic zones, see "The Network Model" on page 99. 


Asset Ranges CSV File Format 

Asset ranges represent sets of network nodes addressable as a contiguous block of IP addresses. 
Asset ranges are useful when you have a number of network nodes that would be impractical to track 
individually, or that may come and go from the network, such as laptops. An asset range can define a 
group of assets that are not addressed individually. Asset ranges should be a subset of the IP address 
ranges defined for zones. 

Caution: Each asset range should specify a unique range of IP addresses. The IP addresses 
specified by asset ranges should not overlap. If you import an asset range that overlaps with an 
asset range already specified on the ArcSight Manager and the new asset range has a different 
name than the existing asset range, the following occurs: 

. The new asset range is created. 

. The existing asset range is invalid and displays with the broken asset range icon in the 
Console. 


You can define a set of asset ranges in ESM by batch loading asset range definitions from an asset 
range CSV file. Asset range CSV files contain the columns listed in the table, below. When an assets 
CSV file is selected for import, by default only the first fifteen rows of data are displayed in Select 
Column Headers for the Asset Ranges Data panel. However, when the data is imported into the 
ArcSight Manager, all the rows are imported. For more information, see 'Increasing the Number of 
Displayed Rows" on the next page. 

For the wizard to determine how to process the imported data, the type of each column must be 
specified. For more information, see Specifying CSV Column Types" on page 111. 

When the Next button is clicked in the Summary of Data to Import panel, the asset range data is 
imported into the ArcSight Manager. The new asset ranges are created in the /All Assets/Site 
Assets group. For example, if an asset range called DMZCorpHR was specified in the imported asset 
range CSV file, a new asset range is created at the following URI: /All Assets/Site 
Assets/DMZCorpHR. 
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Asset Range CSV File Columns 


Required 

Column Repeatable 

Type Description Column? Column? Example Value 

Name 

A descriptive name for the 
asset range. This name must 
be unique. 

Yes 

No 

DMZ Corp HR 

Start 

Address 

The start of the range of IP 
addresses that defines the 
asset range. 

Yes 

No 

192.0.2.11 

End 

Address 

The end of the range of IP 
addresses that defines the 
asset range. 

Yes 

No 

192.0.2.20 

Category 

URI 

The asset category to assign 
to asset range. 

NOTE: The wizard does not 
create new categories. For the 
category to be assigned, it 
must already exist. 

No 

Yes 

This column can 
be repeated 
because an 
asset range can 
be categorized 
into more than 

one asset 
category. 

/All Asset 
Categories/Site 

Asset 

Categories/Business 

Impact 

Analysis/Data 

Role/HR Data/ 

Ignore 

The column contains data that 
is not used by the Network 
Model wizard when creating 
asset ranges. For example, 
this column could contain a 
description of the asset range. 

No 

Yes 

This asset range 
defines the all the 
corporate human 
resources assets. 


An Example of an Asset Ranges CSV File 

Here is an example of the Asset Ranges CSV file: 

HRRangeAj <Starting-IP-address> , <Ending-IP-address> , /All Asset Categories/ArcSight 
System Administration/Databases/ 

IT Range X,<Starting-IP-address> ,<Ending-IP-address> , /All Asset Categories/ArcSight 
System Administration/Databases/ 


Increasing the Number of Displayed Rows 

When the data is imported into the ArcSight Manager, all the rows are imported. However, by default, 
only the first fifteen rows of data are displayed in Select Column Headers for the <Resource Type> 
Data panels. 
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To increase the number of displayed rows, add the property 
usecase . networkmodeling . maxrowfortable to the <ARCSIGHT_ 

HOME >/config/console. properties file and set the value of the property to a number greater than 
fifteen. 

Refer to the topic, "Managing and Changing Properties File Settings" in the ESM Administrator's Guide 
for procedures to edit properties files properly. 


Summary of Data to Import 

In the Summary of Data to Import panel, a summary of the network modeling data ready to import into 
the ArcSight Manager is displayed. 

1 . Click Next to start the import process. 

A temporary Archive Resource Bundle (ARB) file with the import data is created and the Install 
Packages dialog appears. 

2. To install the data from the temporary ARB file, click OK in the Update Packages dialog. 

The network modeling data is imported into the ArcSight Manager and the Data Imported pane 
displays. In addition, the Installing Packages and the Importing Packages dialogs appear. 

3. Close the open dialogs: 

a. In the Installing Packages dialog, click OK. 

b. In the Importing Packages dialog, click OK. 


Network Data Imported into ArcSight Manager 

When network modeling data is imported from the network modeling data CSV files, new resources are 
created in the following groups on the ArcSight Manager: 

• New zones are created in the /All Zones/Site Zones group. For example, if a zone called 
DMZPublic was specified in the imported zones CSV file, a new zone is created at the following 
URI: /All Zones/Site Zones/DMZ Public. 

The new zones are assigned to the default network called Local. 

• New assets are created in the /All Assets/Site Assets group. For example, if an asset called 
DMZCorpEmailServer was specified in the imported assets CSV file, a new asset is created at the 
following URI: /All Assets/Site Assets/DMZCorpEmailServer. When imported, the new 
assets are auto-zoned. For more information, see "Auto-Zoning of Imported Assets" on the next 
page. 

• New asset ranges are created in the /All Assets/Site Assets group. For example, if an asset 
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range called DMZCorpHR was specified in the imported asset range CSV file, a new asset range is 
created at the following URI: /All Assets/Site Assets/DMZCorpHR. 

In the Data Imported dialog, click Finish to close the wizard. 

Auto-Zoning of Imported Assets 

When new assets are imported into the ArcSight Manager using the Network Model wizard, an attempt 
is made to assign the assets to the appropriate zone from the default network called Local. This 
process is called auto-zoning. 

When the asset is imported, if a zone is found with an address range that includes the imported asset 
and that zone is located in the Local network, the matching zone is assigned to the asset. For the 
asset to find the matching zone, the matching zone must either: 

• Already exist on the ArcSight Manager prior to the import. 

• Be imported with the asset as part of the same import process — part of the same transaction. 

Zones are created before assets in the import process. 

If no matching zone is found in the network, no zone is assigned. 

The following example illustrates the auto-zone process. A zone called DMZCorporate is defined in the 
Local network on the Manager with a starting address of 192.0.2.0 and an ending address of 
192.0.2.22. If an asset called DMZCorpDatabase with an IP address of 192.0.2.11 is imported by the 
wizard, the DMZCorporate zone is assigned to DMZCorpDatabase asset because the IP address of the 
DMZCorpDatabase asset is within the range of addresses specified in the DMZCorporate zone, and the 
DMZCorporate zone is located in the Local network. 

Note: Only one asset with a given host name is allowed in a given zone on a network. When two 
assets with the same host name are imported, and if the Manager assigns them to the same zone 
in the same network, both assets are imported but one of the assets is disabled and displays with 
the broken-asset icon in the Console. 


Working with Assets, Locations, Zones, 
Networks, Vulnerabilities, and Categories 

The Assets resource provides tools for managing assets and asset ranges, and tools for managing the 
other network and asset modeling features associated with assets: 

• N etworks 

• Zones 

• Locations 
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• Vulnerabilities 

• Asset Categories 

Networks and Zones describe characteristics of how the asset is represented in the network itself; 
Locations, Vulnerabilities, and Asset Categories describe attributes of the assets that can be used for 
prioritization and correlation. 

You can organize any of these distinctions into groups upon which you can set up user access 
controls. 

You can also create a channel based on any of these distinctions to get additional monitoring views into 
the events happening on your network. 

The next topics describe how to manage these resources, and the context actions you can take from 
right-click menus: 

• "Managing Assets" below 

• "Managing Vulnerabilities" on page 128 

• "Managing Zones" on page 1 35 

• "Managing Networks" on page 136 

• "Managing Asset Categories" on page 136 

• "Managing Locations" on page 137 

• "Managing Customers" on page 138 


Managing Assets 

This topic explains how to: 

• Create, edit, move, and delete assets, and how to select them in the Common Conditions Editor. 
For an overview of what assets are, the resources that comprise them, how they fit into the network 
model, and the ways to populate the network model, see The Network Model" on page 99. 

• Show assets in an active channel 

Where: Navigator's Resources tab > Assets 
To create or edit an asset: 


Tip: You can create assets manually using the Console (as described in this topic), using the 
Network Model wizard, or dynamically from scanner data. See also, "The Network Model" on 
page 99 and "Populating the Network Model Using the Wizard" on page 110. 
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1 . Select an asset group. Expand it if you are editing an asset in that group. 

2. If you are creating an asset, right-click the group and choose New Asset. 

If you are editing an asset, right-click the asset and choose Edit Asset. 

3. Select the Attributes tab and enter or change values in the fields described below. 


Asset 

Attributes 

Description 

Name 

The asset's friendly name. This field can default to the asset's host name or 

IP address. 

IP Address 

The asset's IP address, in dotted-decimal notation. 

MAC Address 

The unique hardware ID for the network device. 

Host Name 

The asset's DNS name. 

Location 

As described in "Locations" on page 105. 

Zone 

As described in "Zones" on page 1045. 


4. Use the other tabs in the Asset Editor as necessary to add resources: 


Asset View 

Contents 

Categories 

Use the Add button on this tab to select network categories with which to 
associate the asset. 

Alternate 

Interfaces 

Use the Add button on this tab to select a second asset ID if this asset has an 
additional ID on another network. Alternate interfaces usually apply only to 
network boundary devices, such as bridges, that have two MAC addresses. 

Vulnerabilities 

Use the Add button on this tab to select certain vulnerabilities with which to 

associate the asset. 

Notes 

Use the text box and Save button on this tab to write and file additional 
information concerning the asset. 


For more information, see "Using Notes" on page 57 


5. Click OK. 

To move or copy an asset: 

1. Drag and drop the asset into another group. 

2. Choose one: 
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Move to move the asset 

Copy to make a separate copy of the asset 

Link to create a copy of the asset that is linked to the original asset. Changes to either the original 
or linked asset changes both instances of the asset. Deletion of either the original or linked asset 
deletes both instances of the asset. 

To delete an asset: 


Caution: Take care when deleting assets. Asset groups required for correct operation are locked, 
however, depending on your permissions, it is possible to delete the individual assets in those 
groups, such as the assets automatically created to track ArcSight components. 

Do not delete ArcSight System Administration assets without consulting an ArcSight 
administrator. 


1 . Right-click an asset and choose Delete Asset. 

2. Click Yes to confirm. 

To show assets in a channel: 

1 . Right-click an asset or group of assets and choose Show Assets. 

The assets are displayed in an active channel grid view. 

2. If applicable, you can also show not only assets in the selected group but also all children in the 
group. To do so, right-click an asset group, and choose Show Assets Recursively. 

To find an asset: 

If you want to save time locating one asset in a potentially large set on the Navigator, use resource 
search. See "Finding Resources" on page 687 for instructions. 

Selecting Assets in the Common Conditions Editor 

Purpose: After assets are added to your network model, you can select them when you are defining 
conditions that help you analyze the assets' role in the event being investigated. 

Where used: The Asset Selector appears where you are defining conditions for these resources: 

• Query's Conditions tab 

See 'Query Conditions" on page 316 for an example. 
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• Rule's Conditions tab 

See "Adding Asset Conditions" on page 500 for an example. 

• Filter's Filters tab 

Same example as for rules. See "Adding Asset Conditions" on page 500. 

• Active Channel's Filter tab 

The channel is using a filter resource containing the asset condition. 

Data Monitors use conditions by referencing a filter resource. 

Below is an example of how a new Assets condition is defined on the filter resource's Filters tab: 



Auto Zoning an Asset 

Purpose: To assign an asset or a group of assets into a network zone. 
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Where: Navigator > Assets > an asset group 

• You can auto zone up to 1 ,000 assets at a time using the Navigator. 

• You cannot use Auto Zone to move locked assets. 

1 . Right-click an asset or group of assets and choose Auto Zone. 

2. In the Network Selector dialog, browse for the network that containing the zone with an IP address 
range that includes the asset. 

3. Select the network and click OK. 

If a matching zone with an address range that includes the selected asset can be found in the 
network, the zone is assigned to the asset. 

For example, a zone called DMZCorporate is defined in the Local network on the ArcSight 
Manager with a starting address of 192 .0.2.0 and an ending address of 192 .0.2.22. If an asset 
called DMZCorpDatabase with an IP address of 192.0.2.11 is selected for auto zoning in the 
Local network, the DMZCorporate zone is assigned to DMZCorpDatabase asset because the IP 
address of the DMZCorpDatabase asset is in the range of addresses specified in the 
DMZCorporate zone. 

If no matching zone is found in the network, no zone is assigned. 

Auto zoning can automatically occur when assets are imported using the Network Model wizard. For 
more information, see "Auto-Zoning of Imported Assets" on page 122. 

Managing Asset Groups 

Asset groups are created to store similar groups or assets in a single location. Groups can be created 
within groups to meet enterprise needs. When a group is created within a group, the new group inherits 
the existing group's permissions. If a group is deleted, the assets within that group are also deleted. 
ArcSight provides these groups: 

• Shared: this group lists assets to which the user has permission. 

• Unassigned: this group lists assets not assigned to a group. 

If you have Administrator access you also see another group named "All Assets" that contains all asset 
groups and assets. 

Caution: Do not exceed 1 0,000 assets for each asset group. This is to ensure that automatic 
aging of assets works as expected. Asset aging is described in "The Network Model" on page 99. 

For instructions on how to configure asset aging, refer to the "Asset Aging" topic in the ESM 
Administrator's Guide. 
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To create an asset group: 

1. In the Navigator panel's drop-down menu, choose Assets. 

2 . In the Assets resource tree, right-click a group and choose New Group. A "name" text field 
appears under the group you selected. 

3. In the name text field, type in a name. 

4. Press Enter. 

To rename an asset group: 

1. In the Assets resource tree, right-click a group and choose Rename. 

2. In the "name" text field, rename the group. 

To edit an asset group: 

1. In the Assets resource tree, right-click a group and choose Edit Group. 

2 . In the Group Editor, edit the Name and Description text fields. 

To move or copy an asset group: 

1. In the Assets resource tree, navigate to a group and drag and drop it into another group. 

2 . Choose Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you choose Copy, you create a separate copy of the group that is not affected when the original 
group is edited. If you choose Link, you create a copy of the group that is linked to the original 
group. Therefore, if you edit a linked group, whether the original or the copy, all links are edited as 
well. When deleting linked groups, you can either delete the selected group oral! linked groups. 

To delete an asset group: 

1. In the Assets resource tree, right-click a group and choose Delete Group. 

2 . In the dialog box, click Yes. 

Managing Vulnerabilities 

This topic describes how to perform the authoring and management tasks for vulnerabilities such as 
creating, editing, moving, and retrieving vulnerable assets. 

See also "Modeling the Network" on page 98. 
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Note also that you can create a vulnerability channel. For more information on active channels, see 

"Monitoring Active Channels" on page 210. 

Where: Navigator > Resources > Assets > Vulnerabilities tab 
To create a vulnerability: 

1. In the Navigator panel's drop-down menu, choose Assets, then click the Vulnerabilities tab. 

2. Right-click a group and choose New Vulnerability. 

3. On the Vulnerabilities Attributes tab, type in the following text fields: 


Vulnerability 

Attribute 

Description 

Name 

The vulnerability's name (required). It can be generated by the ArcSight 

Manager in response to vulnerability scanners. If so, this field is identical to the 
External ID field except that the pipe (|) is replaced with a dash (-). For 
example, CVE | CVE-1 999-200 is represented as CVE - CVE- 1999 -200. 

Knowledge 
Base Article 

Optional: A link to a knowledge base article that further describes the 
vulnerability. 

External ID 

An ID of the format <standards body>|<id>, such as CVE | CVE-1999-200. 

Owners 

ArcSight users (analysts) who are interested in the vulnerability. 

Notification 

Groups 

ArcSight users (analysts) who are notified of events involving the vulnerability. 


4. On the Vulnerable Assets tab, click the Add New button, if you've defined assets that include this 
vulnerability. 


Note: Refer to "Working with Vulnerable Assets" on page 131 for details on using the 
Vulnerable Assets tab. 


To edit a vulnerability: 

1 . Right-click a vulnerability and choose Edit Vulnerability. 

2. On the Attributes tab, type in the text fields as described above. 

3. On the Vulnerable Assets tab, click the Add New button, if you've defined assets that include this 
vulnerability. 
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To move or copy a vulnerability: 

1. Drag and drop a vulnerability into another group. 

2. Choose one: 

■ Move to move the vulnerability, 

■ Copy to make a separate copy of the vulnerability, or 

■ Link to create a copy of the vulnerability that is linked to the original vulnerability. 

If you choose Copy, you create a separate copy of the vulnerability that is not affected when the 
original vulnerability is edited. If you choose Link, you create a copy of the vulnerability that is 
linked to the original vulnerability. Therefore, if you edit a linked vulnerability, whether it be the 
original or the copy, all links are edited as well. When deleting linked vulnerabilities, you can either 
delete the selected vulnerability or all linked vulnerability copies. 

To delete a vulnerability: 

1 . Right-click a vulnerability and choose Delete Vulnerability. 

2. In the dialog box, click Yes. 

Selecting Vulnerabilities in the Common Conditions Editor 

You can open the Vulnerability Selectorfrom the Reports Query Editor, Rules Editor, Filters Editor, and 
in the Filter Settings panel. In the Vulnerability Selector, you select vulnerabilities to add to reports, 
rules, or filters as a new condition. 

Right-click an Asset node in the Common Conditions Editor (CCE) and choose New "Has 
Vulnerability" Condition. (For more about using the CCE, see "Common Conditions Editor (CCE)" 
on page 864.) 
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You use the Vulnerability Selector when performing these tasks: 

• Adding a vulnerability condition to a report query (see 'Query Conditions" on page 316) 

• Specifying rule conditions (see "Adding Vulnerability Conditions" on page 501) 

• Using filters (see "Filtering Events" on page 286) 

Working with Vulnerable Assets 

This topic describes tasks associated with the vulnerability resource's Vulnerable Assets tab. 

Where: Navigator > Resources > Assets > Vulnerabilities tab 

To retrieve vulnerable assets: 

1 . Right-click a vulnerability and choose Edit Vulnerability. 

2. Select the Vulnerable Assets tab. 

If you used a vulnerability scanner, all vulnerable asset discovered by the scanner are listed on 
this tab. 

„ 4a 

3. To refresh the vulnerabilities list, click the Refresh button (-■^ ). 
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To add an asset to a vulnerability list: 

1 . Right-click a vulnerability and choose Edit Vulnerability. 

2. In the Vulnerability Editor, select the Vulnerable Assets tab. 

3. Click the Add button ( Add ). 

4. Select an asset in the Assets Selector and click OK. 

To delete an asset from a vulnerability list: 

1 . Right-click a vulnerability and choose Edit Vulnerability. 

2. In the Vulnerability Editor, select the Vulnerable Assets tab. 



3. Select an asset and click the Delete button 


4. In the dialog box, click Yes. 


Managing Vulnerability Groups 


This topic describes the tasks involved in managing vulnerability groups. 

Where: Navigator > Resources > Assets > Vulnerabilities tab 

To create a vulnerability group: 

1 . Right-click a vulnerability group and choose New Group. 

A "name" text field appears under the group you selected. 

2. In the "name" text field, type in a name. 

3. Press Enter. 

To rename a vulnerability group: 

1 . Right-click a vulnerability group and choose Rename. 

2. In the "name" text field, rename the group. 

3. Press Enter. 
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To edit a vulnerability group: 

1 . Right-click a vulnerability group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text fields. 

3. Click OK. 

To move or copy a vulnerability group: 

1. Navigate to a vulnerability group and drag and drop it into another group. 

2. Choose: 

■ Move to move the group, 

■ Copy to make a separate copy of the group, or 

■ Link to create a copy of the group that is linked to the original group. 

If you choose Copy, you create a separate copy of the group that is not affected when the original 
group is edited. If you choose Link, you create a copy of the group that is linked to the original 
group. Therefore, if you edit a linked group, whether the original or the copy, all links are edited as 
well. When deleting linked groups, you can either delete the selected group oral! linked groups. 

To delete a vulnerability group: 

1 . Right-click a vulnerability group and choose Delete Group. 

2. In the dialog box, click Yes. 

Showing Affected Assets 

The Investigate options include the ability to explore events that potentially exploit asset vulnerabilities. 
You can also view an event's targeted assets. 

To show exploited vulnerabilities: 

1. Select an event in a grid view. 

2. Right-click the event and choose lnvestigate>Show Exploited Vulnerabilities. Available 
information appears in the Vulnerabilities tab of the relevant Asset Editor. 

To show an event's targeted asset: 

1. Select an event in a grid view. 

2. Right-click the event and choose lnvestigate>Show Targeted Asset. Available information 
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appears in the Asset Editor. 

Assets are part of your network model. Refer to 'Modeling the Network" on page 98 for more 
information. 

Reporting on Output from Vulnerability Scanners 

You can review the output of asset-vulnerability scanners in active channels and in the Vulnerabilities 
tab of the Asset Editor. 

1. Choose the Assets resource tree in the Navigator panel. 

2. In the Assets tab of the Assets tree, right-click an individual asset and choose Scanner Reports. 
If scanner asset-vulnerability reports are available for the selected asset, they appear in a Viewer 
panel grid view as an active channel. 

3 . You can use the standard controls described in Using Grids and Active Channels to review the 
reports collectively. 

4. Also in the channel view, you can double-click vulnerability scanner events to open them in the 
Asset Editor, where the Vulnerabilities tab lists the vulnerability details. 

For information on creating and editing assets, see Modeling the Network" on page 98. 

You can create an active channel for selected scanner reports. For information on using active 
channels, see "Monitoring Active Channels" on page 210. 

Reporting on Asset Vulnerabilities 

You can create reports to show which assets are vulnerable to particular vulnerabilities or threats. 
ArcSight also provides Asset Reports that can be run from the Reports resource tree in the Navigator 
panel. For more information, see "Using Report Templates" on page 375. 

1. In the Navigator panel's drop-down menu, choose Assets, then click the Vulnerabilities tab. 

2. In the Vulnerabilities tree, right-click a vulnerability and choose Vulnerable Assets Report. 

3 . In the Report Parameters dialog box, accept the vulnerability listed in the Vulnerability URL text 
field or click the Vulnerability button to run the report on another vulnerability. 

4. Choose a Report File Format from the drop-down menu and click OK. 

Reports can be archived in PDF, HTML, Excel, Comma Separated Value (csv), or Rich Text Format 
(rtf). The default PDF format should be used when archiving reports. Compared to PDF reports, other 
reports may lose formatting information and look different from what you expect. In addition, Excel 
format is more memory-intensive than PDF. 
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Managing Zones 

For an overview of zones and how they fit into the network model, see "Zones" on page 103. 

Note: Shrinking or Splitting Zones 

The Zone Editor cannot be used to shrink a zone if there are assets that fall outside the range of the 
new zone. For example, if you have a zone with an address range of 192 . 8 . 2 . 1 to 192 .0.2.27 
and an asset in that zone with an IP address of 192.0.2.15, you cannot change the upper end of 
the zone range to 192 . 0 . 2 . 10 but you can change it to 192 . 0 . 2 . 20. 

For shrinking or splitting zones that might encounter such issues, we suggest using a package 
export and import operation. You can export the asset resources and then import them back in. 
Package import and install automatically assigns assets to appropriate zones similar to the auto- 
zoning used by the Network Model Wizard. See "Managing Packages" on page 693, "Populating 
the Network Model Using the Wizard" on page 110, and "Auto-Zoning of Imported Assets" on 
page 122. 


Zone 

Attribute 

Description 

Name 

A descriptive name for the IP address range the network zone represents (required) 

Start 

Address 

Provide an IP address that identifies the start of the network scope. 

End 

Address 

Provide an IP address that identifies the end of the network scope. 

Dynamic 

Addressing 

Click this option on or off to indicate whether this network uses dynamic addressing 

. Checkmark (toggle on) this option to indicate that the network you are describing 
uses dynamic addressing (Dynamic Host Configuration Protocol or DHCP 
server) 

. Leave this option unchecked (toggle off), if the network you are describing does not 
use dynamic addressing (but, rather, uses static IP addresses) 

Location 

Select a location for this zone. 

Network 

Select the network in which this zone resides. 


In addition to the above zone Attributes, the Zone Editor includes subtabs for adding Assets and 
Categories into the zone you are configuring. 
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Managing Networks 

For an overview of networks and how they fit into the network model, see The Network Model" on 
page 99. 


Network 

Attribute 

Description 

Name 

A descriptive name for the network (required) 

Customer 

The Customer name is typically used if configuring assets for a customer on behalf of 
a managed security service provider (MSSP). 

Location 

This is an optional field for a descriptive name of the geographical location of the 
network. 


In addition to network Attributes (described above), the Network Editor includes subtabs for adding 
Connectors and Zones into the selected network you are configuring. 


Managing Asset Categories 

To view the available asset categories: 

1 . On the Navigator resource tree, choose Assets. 

2. Go to the Categories tab and expand a node, for example, Site Asset Categories. 

The Categories tab provides options to organize assets into groups based on categories. 

From the Navigator right-click menu on Asset Categories, you have several views and tools to help 
manage assets. From this menu, you can: 

• Create channels to show asset categories and assets. 

• Move assets into and out of category groups. 

• Create new category groups. 

• Configure access control lists (ACLs) to limit or allow user access to groups of assets (see 

"Managing Permissions" on page 189). 

One asset can have multiple asset categories. You can also assign asset categories to groups of 
resources. This transfers the asset category onto all the members of the group and its subgroups. 
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To assign an asset category: 

1. In the Navigator drop-down menu, go to Assets. Select the Assets tab. Go to ArcSight System 
Administration/Agents, to find the SmartConnectors installed for your environment. 

2. Right-click the asset or asset group you wish to categorize and select Edit Asset (or Edit 
Group). 

3. In the Inspect/Edit panel, click the Categories tab. Click the add icon ( £) at the top of the screen. 

4. In the Asset Categories Selector pop-up window, select the asset categories that apply to this 
asset and click OK. For example: 

a. The usage category that applies to the asset (for example, /All Asset Categories/Site 
Asset Categories/Business Impact Analysis/Business Role/Revenue Generation) 

b. The criticality level that applies to the asset (for example, /All Asset Categories/System 
Asset Categories/Criticality/Very High) 

5. Repeat steps 3 and 4 for every asset or group of assets you want to classify in one of the asset 
categories. 

For an overview of asset categories and how they fit into the network model, see "Asset Model" on 
page 105. 


Managing Locations 

For an overview of locations and how they fit into the network model, see 'Locations" on page 105. 

Where: Navigator > Assets > Locations subtab 

To create or edit a location: 

1 . Right-click an unlocked Locations group and choose New Location. 

2. Set the following attributes: 


Location 

Attribute 

Description 

Name 

A descriptive name for the geographical location (required) 

Latitude 

Latitude for the location. 

The format for this measurement is a preference setting for the Console (menu option 

Edit > Preferences, click Latitude and Longitude). For more information, see "Setting 
Latitude and Longitude Options" on page 86. 
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Location 

Attribute 

Description 

Longitude 

Longitude for the location 

The format for this measurement is a preference setting for the Console (menu option 

Edit > Preferences, click Latitude and Longitude). For more information, see Setting 
Latitude and Longitude Options" on page 86. 

Address 

Provide details for City, Region Code, Postal Code, and Country as required. 


Managing Customers 

Purpose: Customer tagging is a feature developed mainly to support Managed Security Services 
Provider (MSSP) environments, although it can also be used by private organizations to denote cost 
centers, internal groups, or subdivisions. The Customer designation keeps event traffic from multiple 
cost centers and/or business units clearly identified and separate. For more general information about 
this feature, see ESM 101. 

The Customers resource tree, when populated, maps out the various external or internal customer 
accounts your enterprise tracks for cost, security analysis, or administrative reasons. These accounts, 
if present, are usually set up as part of the ArcSight deployment process. If the Customers resource 
tree is abbreviated or empty, your organization is probably not using this feature. 

When the Customers resource tree is populated, you primarily use its branches as references in 
analysis filters that exclude or include certain customers. 

Apart from analysis, the activities necessary to maintain the Customers resource tree include creating 
new customer references, editing existing references, and occasionally deleting references. 

Where: Navigator > Resources > Customers 
To create customers: 

When you create a customer, remember that the branch you add to the resource tree has to match the 
Customer URI attribute configured for that branch in the relevant SmartConnectors. In other words, you 
create customer-tracking resources only for those customers that have parallel URI values set in the 
SmartConnectors that monitor their devices. 

1 . Right-click a customer group and choose New Customer. 

2. In the Customer Editor, enter values for the properties that identify the customer. Note that the 
Name value has to complete the correct Customer URI for this account as found in its related 
SmartConnectors. 

3. On the Networks tab, add the network for this customer, as required. 

4. Click Apply to update the customer and leave the editor open, or OK to complete editing and close 
the editor. 
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To edit customers: 

1 . Right-click a customer and choose Edit Customer. 

2. Change the values, as appropriate. 

3. Click Apply to update the customer and leave the editor open, or OK to complete editing and 
close the editor. 

To delete customers: 

1 . Right-click a customer and choose Delete Customer. 

2. Click Yes to confirm the deletion. 
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Chapter 5: Managing SmartConnectors 

ArcSight SmartConnectors, if installed and configured to send events to the Manager, are available on 
the Console for further configuration. SmartConnectors that appear on the Console as resources are 
called registered connectors. 

You can configure ArcSight SmartConnectors to optimize their performance and increase their 
functionality. For example, you can configure SmartConnectors to enable aggregation, batching, and 
time filter correction functionality. You can also send control commands from the ArcSight Console or 
the ArcSight Command Center to SmartConnectors to manage the flow of events. 


Selecting and Setting SmartConnector Parameters 140 

Managing SmartConnector Filter Conditions 159 

Setting Special Severity Levels 161 

Sending Model Mappings to SmartConnectors 163 

Sending Control Commands to SmartConnectors 163 

Managing SmartConnector Groups 171 

Importing and Exporting SmartConnector Configurations 173 

Using Additional Data Fields 175 

Upgrading SmartConnectors 175 


In addition to managing registered SmartConnectors through the Console, you can also manage from 
the Administration section of the Command Center. Refer to the Command Center User’s Guide for 
information. Through the Command Center, you can send commands to the Connectors being 
managed. 


Selecting and Setting SmartConnector 
Parameters 

From the ArcSight Console, use the Connector Editor to control SmartConnectors that are registered in 
the ArcSight Manager. 


Configuring the SmartConnector 

A SmartConnector can have a default and a number of alternate configurations. 

An alternate configuration is a set of runtime parameters that is used instead of the default configuration 
during a specified portion of every day. For example, you might want to specify different batching 
schemes (by severity or size) for different times of a day. You can define more than one alternate 
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configuration per destination and apply them to the destination for different time ranges during the day. 
For example, you can define a configuration for 8 am to 5 p.m. time range and another configuration for 
the 5 pm to 8 am time range. 

Where: Navigator > Resources > Connectors 
To define default configurations: 

1 . Right-click the SmartConnector you want to manage and choose Configure. 

This opens the Inspect/Edit panel for the Connector Editor. On the Connector tab, the Name 
field is automatically populated with the name assigned during SmartConnector Installation. 

2. Type the Connector Location and the Device Location. All events are tagged with these fields 
by the SmartConnector. Creation date and other information are automatically populated. 

3. On the Default tab, change any additional Batching, Time Correction or other parameters as 
desired, using the configuration fields explanations provided in "Default Content Tab Configuration 
Fields" on page 144. 

4. Entering data in the Common and Assign sections is optional, depending on how your environment 
is configured. For information about the Common and Assign attributes sections, as well as the 
read-only attribute fields in Parent Groups and Creation Information, see " Common Resource 
Attribute Fields" on page 685. 

5. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

6. Click Apply to add your changes and to keep the Connector Editor open, or click OK to close the 
editor. 

The description entry associated with the setting provides tool tip information. These parameters are 
not localized since they come directly from the connector and the connector may contain new 
resources (since it may be a newer version). 

The framework for connector commands operates in a similar way. Configuration of the connector 
command menu is achieved by sending the list of commands that are supported on the connector at 
registration time. 

To create alternate configurations: 

1. Open the Inspect/Edit panel of the SmartConnector. 

2. On the Default tab, click Add Alternate. 

A new tab, Alternate #1 , is added to the edit panel. The alternate tab provides fields for entering a 
time interval. 

3. Under Time Interval, entertimes for From and To. Make additional changes as required, then 
click Apply. 

4. Repeat the process if you want additional alternates using different time intervals and different 


HP ESM (6.9.1c) 


Page 141 of 1106 


ArcSight Console User's Guide 
Chapter 5: Managing SmartConnectors 


parameters. For example, create alternates if you want varying batching schemes based on 
severity or size on certain times of the day. 

If the time ranges of the combined alternate configurations do not span 24 hours, the default parameters 
will be used to cover the time intervals not already defined in the alternates. 

Connector Editor Tabs 

The Connector Editor provides several options you can adjust. The options are organized in tabs and 
subtabs, described below. 

Tabs on the Connector Editor 

"Connector Tab Configuration Fields" on the next page 

Basic identification, ownership, and date/time parameters. 

Networks 

The ArcSight networks to which the connector is or can be assigned. 

"Default Content Tab Configuration Fields" on page 144 

Includes options for report batching, aggregation, and time corrections. 

Default: Filters 

A filter condition editor for constraining what the connector reports. (See "Managing SmartConnector 
Filter Conditions" on page 159 and "Common Conditions Editor (CCE)" on page 864 for details on 
how to define filters for connectors.) 

Alternate: Content 

A set of options identical to those under Default, which you can use to create alternate 
configurations. Appears only after you add an Alternate tab. 

Alternate: Filters 

A filter condition editor for constraining what the connector reports, in an alternate configuration. 

Notes: Table 

A text editor for, and tabular list of, configuration notes. 

Notes: List 

A text editor for, and text presentation of, configuration notes. 
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Connector Tab Configuration Fields 

You do basic configuration through the Connector and Default: Content tabs. Many of these fields 
correspond to resource editor fields. See also " Common Resource Attribute Fields" on page 685. 

Fields on the Connector Tab 


Field 

Name 

Description 

Name 

The Name text field is automatically populated with the name assigned during 
SmartConnector installation. 

ID 

The identification string assigned during SmartConnector installation. 

Status 

The SmartConnector's current mode of operation. 

Connector 

Location 

A description of the (usually) physical location of the SmartConnector. This appears in 
all the events issued from the connector. 

Device 

Location 

A description of the (usually) physical location of the device the SmartConnector is 
monitoring. This appears in all the events issued from the connector. 

Version 

The connector's software version number. 

External ID 

An identification string suitable for, and which can be referenced by, systems outside 
ESM. Common applications of External IDs include appropriate naming for Case and 
Asset resources that are tracked in common with defect reporting or vulnerability- 
management systems. If your system interfaces with a third-party incident tracking 
system, such as Remedy, enter an ID that corresponds to that system. Your 
administrator can advise you on the correct values for this field, if applicable. 

Alias 

An optional alternate identification string used for referencing resources. If given, this 
alias appears in place of the resource's name everywhere it may be seen. Your 
administrator can advise you on the correct values for this field, if applicable. 

If you use an alternate event naming scheme in your environment, enter an alias for 
this resource here. 

Description 

A text description of the configuration or other related information. 

Owner 

A user selected from the Users resource tree who should be notified about this 

connector. 

Notification 

Groups 

The user groups selected from the Users resource tree who should be notified about 
this connector. 

Created By 

A user identity provided at SmartConnector installation. 

Creation 

Time 

The time of SmartConnector installation. 
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Fields on the Connector Tab, continued 


Field 

Name Description 

Time Since 
Creation 

A value calculated from Creation Time. 

Last 

Updated 

By 

The user who made the last configuration change. 

Last 

Update 

Time 

The time of the last configuration change. 

Time Since 

Last 

Update 

A value calculated from Last Update Time. 


Default Content Tab Configuration Fields 

SmartConnector configuration options available may vary depending on which version of 
SmartConnectors you are using. SmartConnector configuration options come directly from the 
connector, and newer versions of connectors might contain new or different resources than previous 
versions. 

The following table shows the Default Content Tab Configuration Fields. 


Fields on the Default Tab 


Name Field Value Field 

Batching 

SmartConnectors can batch events to increase performance and optimize network 
bandwidth. When activated, SmartConnectors create blocks of events and send 
them when they either (1) reach a certain size or (2) the time window expires. You 
can also prioritize batches by severity, forcing the SmartConnector to send the 
highest-severity event batches first and the lowest-severity event batches later. 

Enable 
Batching (per 
event) 

Create batches of events of this specified size (5, 10, 20, 50, 100 events). 

Enable 
Batching (in 
seconds) 

The SmartConnector sends the events if this time window expires (1, 5, 10, 15, 30, 

60). 

Batch By 

This is Time Based if the SmartConnector should send batches as they arrive (the 
default) or Severity Based if the SmartConnector should send batches based on 
severity (batches of Highest Severity events sent first). 
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Fields on the Default Tab, continued 


Name Field 

Value Field 

Time 

Correction 

The values you set for these fields establish forward and backward time limits, that if 
exceeded, cause the SmartConnectorto automatically correct the time reported by 
the device. 

Use 

Connector 

Time as 

Device Time 

(No | Yes) Override the time the device reports and instead use the time at which the 
connector received the event. This option assumes that the connector is more likely 
to report the correct time. The default is No. 

Enable 

Device Time 
Correction (in 
seconds) 

The SmartConnectorcan adjust the time reported by the device Detect Time, using 
this setting. This is useful when a remote device's clock isn't synchronized with the 
ArcSight Manager. This should be a temporary setting. The recommended way to 
synchronize clocks between Manager and devices is the NTP protocol. 

Enable 

Connector 

Time 

Correction (in 
seconds) 

The SmartConnectorcan also adjust the time reported by the Connector Time 
SmartConnector itself, using this setting. This is for informational purposes only and 
allows you to modify the local time on the SmartConnector. This should be a 
temporary setting. The recommended way to synchronize clocks between Manager 
and SmartConnectors is the NTP protocol. 

Set Device 

Time Zone 

To 

(Disabled | <TimeZone>)(Default is Disabled) Ordinarily, it is presumed that the 
original device is reporting its time zone along with its time. And if not, it is then 
presumed that the SmartConnector is doing so. If this is not true, or the device isn't 
reporting correctly, you can switch this option from Disabled to GMT or to a particular 
world time zone. That zone is then applied to the time reported. 


Device Time Auto-correction 


Future 

Threshold 

The connector sends the internal alert if the detect time is greater than the connector 
time by Past Threshold seconds. 

Past 

Threshold 

The connector sends the internal alert if the detect time is earlier than the connector 
time by Past Threshold seconds. 

Device List 

A comma-separated list of the devices to which the thresholds apply. The default, 
(ALL) means all devices. 

Time 

Checking 

These are the time span and frequency factors fordoing device-time auto-correction. 

Future 

Threshold 

The number of seconds by which to extend the connector's forward threshold for 
time checking. 

Past 

Threshold 

The number of seconds by which to extend the connector's rear threshold for time 
checking. Default is 1 hour (3,600 seconds). 

Frequency 

The SmartConnector checks its future and past thresholds at intervals specified by 
this number of seconds. Default is 1 minute (60 seconds). 
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Fields on the Default Tab, continued 


Name Field 

Value Field 

Cache 

Changing these settings does not affect the events cached, it only affects new 
events sent to the cache. 

Cache Size 

SmartConnectors use a compressed disk cache to hold large volumes of events 
when the ArcSight Manager is down or when the SmartConnector receives bursts of 
events. This parameter specifies the disk space to use. The default is 1 GB which, 
depending on the connector, can hold about 15 million events, but it also can go 
down to 5 MB. When this disk space is full, the SmartConnector drops the oldest 
events to free up disk cache space. (5 MB, 50 MB, 100 MB, 200 MB, 250 MB, 500 

MB, 1 GB, 2.5 GB, 5 GB, 10 GB, 50 GB.) 

Notification 

Threshold 

The size of the cache's contents at which to trigger a notification. Default is 10,000. 

Notification 

Frequency 

How often to send notifications when the Notification Threshold is reached. (1 min, 5 
min, 10 min, 30 min, 60 min.) 

Payload 

Cache 

If the represented SmartConnector supports it, setting this to True causes the 
connector to automatically create and populate a cache for device payload data. The 
payload data is retrieved from the original device or retained from the received event 
data, depending on how it operates. The default setting is False. Consult a 
SmartConnector's Configuration Guide to find out whether it supports this capability. 
Changes to this setting take effect after you restart the SmartConnector. 

Payload 
Cache Size 

If Payload Cache is True, these choices determine the maximum size of the cache. 
The cache operates on a last-in-first-out (LIFO) basis. 

Network 


Heartbeat 

Frequency 

This setting controls how often the connector sends a heartbeat message to the 
ArcSight Manager. The default is 10 seconds, but it can go from 5 seconds to 10 
minutes. Note that the heartbeat is also used to communicate with the 
SmartConnector; therefore, if its frequency is set to 10 minutes, then it could take 
as much as 10 minutes to send any configuration information or commands back to 
the SmartConnector. 

Enable 

Name 

Resolution 

(Enabled | Disabled) The SmartConnector tries to resolve IP addresses to host 
names, and host names to IP addresses, if the event rate allows it and if required. 

This setting controls this functionality. The Source, Target and Device IP addresses 
and Hostnames may also be affected by this setting. (The default is Enabled.) 

Name 

Resolution 
TTL (secs) 

This is the amount of time (Time to Live) the name resolution is to be in effect. The 
name resolution entries are cached for this time (default is 3600). 

Wait For 

Name 

Resolution 

(Yes | No) If set to Yes, the SmartConnector waits for name resolution to be 
completed (default is No). 
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Fields on the Default Tab, continued 


Name Field 

Value Field 

Name 

Resolution 

Host Name 
Only 

(Yes | No) If set to Yes, for reverse resolution (IP Address to Host name), only the 
host name field is set. If set to No, the host name is split up and put into both the 

DNS domain and the host name fields. This affects the source, destination, device 
and SmartConnector name fields (default is Yes). 

Name 

Resolution 

Domain from 

Email 

(Yes | No) If set to Yes, the host name and DNS domain fields are empty, and the 
corresponding user name field appears as an e-mail address, then the domain from 
the e-mail address is put in the DNS domain field. This only affects the source and 
destination fields (default is Yes). 

Clear Host 

Names 

Same as IP 

Address 

(Yes | No) If set to Yes and the host name field is set to an IP Address that matches 
the corresponding IP Address field, then the host name field is cleared. This affects 
the source, destination, and device fields (default is Yes). 

Set Host 

Names to IP 

Addresses 

When 

Unknown 

(Yes | No) If set to Yes, host names that remain unresolved are set to IP addresses 
(default is No). 

Don’t 

Resolve 

Host Names 

By default, host names are resolved to their IP addresses. You have the option to 
specify a regular expression for all or part of a host name for which you do not want 
the system to attempt host name resolution to an IP address. 

Matching 

When this option is configured, the system cannot resolve host names matching this 
expression. 

Don’t 

Reverse- 

Resolve IP 

By default, IP addresses are resolved to theirdomain names. You have the option to 
specify IP address ranges for which you do not want the system to attempt reverse- 
resolution to domain names. 

Ranges 

Click in the field to enter the IP address range. To entera single IP address, enter the 
address under the From column and leave the To column blank, then click Apply. 

For an address range, enter the starting IP address under From and the ending 
address under To, then click Apply. This field allows you to entera list of ranges. 


When this option is configured, the system cannot reverse-resolve IP addresses that 
fall within any of the specified ranges. 

Remove 

Unresolvable 

Names/IPs 

from Cache 

(Yes | No) If set to Yes, unresolvable host names or IP addresses continue to be in 
the cache (default is No). 

Limit 

Bandwidth 

To 

A list of bandwidth options you can use to constrain the connector's output over the 
network. (Disabled, 1 kbit/sec to 10 Mbits/sec.) 
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Fields on the Default Tab, continued 


Name Field 

Value Field 

Transport 

Mode 

You can configure the SmartConnector to cache to disk all the processed events it 
receives. This is equivalent to pausing the SmartConnector. However, you can use 
this setting to delay event-sending during particular time periods. For example, you 
could use this setting to cache events during the day and send them at night. You 
can also set the connector to cache all events, except for those marked with a very- 
high severity, during business hours, and send the rest at night. (Normal | Cache | 
Cache but send Very High severity events). 

Cache Mode 

(Normal | Drop if Dest Down) This option is meant to be used on a primary 
destination to control the caching behavior of the primary destination when it is down, 
and the connector starts sending events to the failover destination. In the Normal 
mode, events are cached and sent to the primary destination when it comes back up. 
In the Drop if Dest Down mode, the events are not cached and dropped and therefore 
not sent to the primary destination when it becomes available again (default is 
Normal). 

Zone 

Population 

Mode 

(Normal | Rezone (override) | No Zoning (clear)) Setting to Normal means zones are 
computed and assigned, if not already set. Rezone (override) re-computes and re- 
assigns already populated zones. No Zoning (clear) clears the zones, if already 
populated, (default is Normal). 

Customer 

URI 

Applies the given customer URI to events emanating from the connector. Provided 
the customer resource exists, all customer fields are populated on the ArcSight 
Manager. If this particular connector is reporting data that might apply to more than 
one customer, you can use Velocity templates in this field to conditionally identify 
those customers. 

Source Zone 

URI 

When populated, this field shows the URI of the zone associated with the 
SmartConnector's source address. How this field gets populated is discussed in the 
Zones section of the SmartConnectors topic. This field is present for ESM v3.0 
compatibility. It is not relevant in post ESM 3.0 releases because of integral zone 
mapping. 

Source 

Translated 

Zone URI 

When populated, this field shows the URI of the zone associated with the 
SmartConnector's translated source address. The translation is presumed to be NAT 
(network address translation). How this field gets populated is discussed in the 

Zones section of the SmartConnectors topic. This field is present for ESM v3.0 
compatibility. It is not relevant in post ESM 3.0 releases because of integral zone 
mapping. 

Destination 

Zone URI 

When populated, this field shows the URI of the zone associated with the 
SmartConnector's destination address. How this field gets populated is discussed in 
the Zones section of the SmartConnectors topic. This field is present for ESM v3.0 
compatibility. It is not relevant in post ESM 3.0 releases because of integral zone 
mapping. 
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Fields on the Default Tab, continued 


Name Field 

Value Field 

Destination 

Translated 

Zone URI 

When populated, this field shows the URI of the zone associated with the 
SmartConnector's translated destination address. The translation is presumed to be 
NAT (network address translation). How this field gets populated is discussed in the 
Zones section of the SmartConnectors topic. This field is present for ESM v3.0 
compatibility. It is not relevant in post ESM 3.0 releases because of integral zone 
mapping. 

Connector 

Translated 

Zone URI 

When populated, this field shows the URI of the zone associated with the 
SmartConnector's translated address. The translation is presumed to be NAT 
(network address translation). How this field gets populated is discussed in the 

Zones section of the SmartConnectors topic. This field is present for ESM v3.0 
compatibility. It is not relevant in post ESM 3.0 releases because of integral zone 
mapping. 

Device Zone 

URI 

When populated, this field shows the URI of the zone associated with the device's 
address. How this field gets populated is discussed in the Zones section of the 
SmartConnectors topic. This field is present for ESM v3.0 compatibility. It is not 
relevant in post ESM 3.0 releases because of integral zone mapping. 

Device 

Translated 

Zone URI 

When populated, this field shows the URI of the zone associated with the device's 
translated address. The translation is presumed to be NAT (network address 
translation). How this field gets populated is discussed in the Zones section of the 
SmartConnectors topic. This field is present for ESM v3.0 compatibility. It is not 
relevant in post ESM 3.0 releases because of integral zone mapping. 
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Fields on the Default Tab, continued 


Name Field 

Value Field 

Field Based 
Aggregation 

This feature is an extension of basic connector aggregation. Basic aggregation 
aggregates two events if, and only if, the fields of the two events are the same per 
the fields listed in the description of "Enable Aggregation (in secs)" on page 153 . 

However, field-based aggregation implements a more flexible aggregation 
mechanism; two events are aggregated if only the selected fields are the same for 
both events. (Note: Field-based aggregation creates a new alert that contains only 
the fields that were specified, so the rest of the fields are ignored, unless “Preserve 
Common Fields” is set to “Yes”.) 

Field-based aggregation offers several advantages over basic aggregation, including: 

• Control over what fields to aggregate on 

• Start and end time set to the earliest start time and latest end time, respectively 
(instead of taking the values from the first event in the group, like basic 
aggregation) 

• Option to preserve common fields 

• Option to sum one or more numeric fields 

SmartConnector aggregation significantly reduces the amount of data received, and 
should be applied only when you use less than the total amount of information the 
event offers. For example, you could enable field-based aggregation to aggregate 
"accepts" and "rejects" in a firewall, but you should use it only if you are interested in 
the count of these events, instead of all the information provided by the firewall. 

Time Interval 

Choose a time interval, if applicable, to use as a basis for aggregating the events the 
connector collects. Aggregation time interval and threshold settings need to both be 
set in order for the aggregation to be enabled. 

(Disabled, 1 sec, 5 sec, and so on, up to 1 hour.) 

Event 

Threshold 

Choose a number of events, if applicable, to use as a basis for aggregating the 
events the connector collects. This is the maximum count of events that can be 
aggregated; for example, if 150 events were found to be the same within the time 
interval selected (i.e. , contained the same selected fields) and you select an event 
threshold of 100, you then receive two events, one of count 100 and another of count 
50. This option is exclusive of Time Interval. (Disabled, 10 events, 50 events, and 
so on, up to 10,000 events.) 

Field Names 

Choose one or more fields, if applicable, to use as the basis for aggregating the 
events the connector collects. Use Ctrl+click to select multiple fields. The result is 
a comma-separated list of fields to monitor. For example, 
"eventName,deviceHostName" would aggregate events if they have the same 
event- and device-host names. You can use any of the event fields displayed in the 
event inspector; the name can contain no spaces and the first letter should not be 
capitalized. 


HP ESM (6.9.1c) 


Page 150 of 1106 


ArcSight Console User's Guide 
Chapter 5: Managing SmartConnectors 


Fields on the Default Tab, continued 


Name Field 

Value Field 

Fields to 

Sum 

Choose one or more fields, if applicable, to use as the basis for aggregating the 
events the connector collects. 

If specified, this set of numeric fields is summed rather than aggregated, preserved, 
or discarded. The most common fields to sum are bytesln and bytesOut. Note that 
if any of the fields listed here are also in the list of field names to aggregate, they are 
aggregated and not summed. 

Preserve 

Common 

Fields 

(Yes | No) Choosing Yes adds fields to the aggregated event if they have the same 
values for each event. Choosing No, the default, ignores non-aggregated fields in 
aggregated events. 

Filter 

Aggregation 

Filter Aggregation is a way of capturing aggregated event data from events that 
would otherwise be discarded due to an agent filter. Only events that would be 
filtered out are considered for filter aggregation (unlike Field-based aggregation, 
which looks at all events). 

SmartConnector aggregation significantly reduces the amount of data received, and 
should be applied only when you use less than the total amount of information the 
event offers. 

Time Interval 

Choose a time interval, if applicable, to use as a basis for aggregating the events the 
connector collects. It is exclusive of Event Threshold. (Disabled, 1 sec, 5 sec, and 
soon, up to 1 hour.) 

Event 

Threshold 

Choose a number of events, if applicable, to use as a basis for aggregating the 
events the connector collects. This is the maximum count of events that can be 
aggregated; for example, if 150 events were found to be the same within the time 
interval selected (i.e. , contained the same selected fields) and you select an event 
threshold of 100, you then receive two events, one of count 100 and another of count 
50. This option is exclusive of Time Interval. (Disabled, 10 events, 50 events, and 
so on, up to 10,000 events.) 

Fields to 

Sum 

(Optional) Choose one or more fields, if applicable, to use as the basis for 
aggregating the events the connector collects. 

Processing 


Preserve 

Raw Event 

(Yes | No) Some devices contain a raw event that can be captured as part of the 
generated alert. If that is not the case, most connectors can also produce a serialized 
version of the data stream that was parsed/processed to generate the ArcSight 
event. This feature allows the connector to preserve this serialized "raw event" as a 
field in the event inspector. This feature is disabled, by default, since using raw data 
increases the event size and therefore requires more database storage space. 

You can enable this by changing the Preserve Raw Event setting. If you choose 

Yes, the serialized representation of the "Raw Event" is sent to the ArcSight 

Manager and preserved in the Raw Event field. 
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Name Field 

Value Field 

Turbo Mode 

If your configuration, reporting, and analytic usage permits, you can greatly 
accelerate the transfer of a sensor's event information through SmartConnectors by 
choosing one of two "turbo" (narrower data bandwidth) modes. 

Complete is the default transfer mode, which passes all the data arriving from the 
device, including any additional data (custom, or vendor-specific). This corresponds 
to turbo. enabled=false on the Manger. Since this value is not the default, be sure 
to add this property to the Manager’s server . properties file. 

The first level of T urbo acceleration is called Faster and drops just additional data, 
while retaining all other information. The Fastest mode eliminates all but a core set of 
event attributes, in order to achieve the best throughput. Consider the possible 
effects such a restricted data set might have from a given device (for example, on 
reports, rules, threat resolution) before selecting it. 

The specific event attributes that apply to these modes in your enterprise are defined 
in the self-documented $ARCSIGHT_HOME/ conf ig/ connector/ agent . properties 
file for the ArcSight Manager. Because these properties may have been adjusted for 
your needs, you should refer to this file for definitive lists. 

Only scanner SmartConnectors must run in Complete mode, to capture the 
additional data. 

Note: SmartConnector Turbo Modes are superseded by the Turbo Mode in use by 
the ArcSight Managers processing their events. For example, a Manager set to 

Faster cannot pass all the data possible for a SmartConnector that is set for the 
default of Complete. 


HP ESM (6.9.1c) 


Page 152 of 1106 


ArcSight Console User's Guide 
Chapter 5: Managing SmartConnectors 


Fields on the Default Tab, continued 


Name Field 

Value Field 

Enable 
Aggregation 
(in secs) 

Note: If you have already used this feature for setting up previous SmartConnectors, 
you can continue to do so. However, ArcSight recommends that you use the new 

"Field Based Aggregation" on page 1 50 feature as a more flexible option. 

Here is the description of the legacy “Enable Aggregation” feature, for those of you 
who are still using it: 

When enabled, Enable Aggregation (in seconds) aggregates two or more events 
on the basis of the selected time value. (Disabled, 1, 2, 3, 4, 5, 10, 30, 60) 

The aggregation is performed on one or more matches for a fixed subset of fields: 

• Agent ID 

• Name 

• Device event category 

• Agent severity 

• Destination address 

• Destination user ID 

• Destination port 

• Request URL 

• Source address 

• Source user ID 

• Source port 

• Destination process name 

• Transport protocol 

• Application protocol 

• Device inbound interface 

• Device outbound interface 

• Additional data (if any) 

• Base event IDs (if any) 

The aggregated event shows the event count (how many events were aggregated 
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Fields on the Default Tab, continued 


Name Field 

Value Field 

into the displayed event) and event type. The rest of the fields in the aggregated 
event take the values of the first event in the set of aggregated events. 

Limit Event 
Processing 
Rate 

You can moderate the SmartConnector's burden on the CPU by reducing its 
processing rate. This can also be a means of dealing with the effects of event bursts. 

The choices range from Disabled (no limitation on CPU demand) to 1 eps (pass just 
one event per second, making the smallest demand on the CPU). 

Be sure to note that this option's effect varies with the category of SmartConnector 
in use, as described in the SmartConnector Processing Categories table below. 

Fields to 

Obfuscate 

Using MD5 hashing, this option allows you to specify a list of fields for obfuscation in 
a security event. 

Store 

Original Time 
In 

This parameter allows you to move the original device receipt time to a specified field 
if altered by the time correction. 

Enable Port- 

Service 

Mapping 

(Disabled | Enabled) 

If Enabled and one of the two fields destination port and application protocol is set, 
and the other is not, the one that is set is used to set the other. For example, if the 
destination port is 22 and application protocol is not set, then the application protocol 
is set to ssh. 

Default is Disabled. 

Uppercase 
User Names 

(Disabled | Enabled) 

Default is Disabled. If set to any of the enabled settings, the two user name fields 
are automatically changed to uppercase. 

The original values are saved as follows: 

• Enabled (orig to ID) saves the original values to the sourceUserlD and 
destinationUserlD fields, respectively, overwriting any values that may have 
been there previously. 

• Enabled (orig to ID or Flex) saves the original values in the same fields if they 
do not already contain values, or to the flexStringl (source) and flexString2 
(destination) fields if the ID fields do contain values. 

• Enabled (orig to Add. Data) saves the original values to additional data fields 
called OrigSrclIsrName and OrigDstUsrName, respectively. 

Note: The uppercase operation is typically done using the default Locale for the 
chosen platform. You can set this to a particular Locale by setting the 
connector.uppercase.user.name. locale property in agent. properties to the desired 
Locale (using "enJJS" forU.S. English, for example). 
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Name Field 

Value Field 

Enable User 

Name 

Splitting 

(Yes | No) If this is set to yes and the destination user name contains commas in the 
event, this parameter duplicates that event. Each user name in the list is placed in 
one of the events. 

For example, if the destination username in an event is “User 123, User 456”, then 
that event is sent twice, with the destination user name set to “User 123” in the first 
and “User 456” in the second. 

Default is No 

Split File 

Name into 

Path and 

Name 

(Yes | No) If this is set to yes and an event’s file name field is set but its file path field 
is not, this parameter splits the file name into a path and a name, placing each part 
into appropriate fields. 

For example, if the file name field is set to C:\dir\file. ext and the file path is not 
set, then the file path is set to C:\dir and the file name to file. ext. The separator 
character can be either \ or / as the system looks to the SmartConnector to 
determine its platform. 

Default is No 

Event 

Integrity 

Algorithm 

(Disabled | SHA-256 | SHA-1 | MD5 | SHA-512) 

If this is set to one of the algorithms (such as SHA-256), and the Preserve Raw 

Event parameter is Enabled, then additional event integrity internal events are 
generated, normally at a rate of about 1 per 50 normal events. 

The crypto signature field is also set in each event in the format: "#seq 
(aLg) : digest", where seq is a persistent event sequence number, aLg is the 
message digest algorithm, and digest is the hexadecimal message digest. 

These extra events and the crypto signature field values can be used to verify that no 
events were tampered with after generation. 

Supported algorithms are: SHA-256, SHA-1, MD5, and SHA-512. 

Default is Disabled (that is, no algorithm is applied) 

Generate 

Unparsed 

Events 

(Yes | No) If set to yes and some incoming event data cannot be parsed (perhaps 
because a device has been upgraded since the SmartConnector parser was written), 
then a special event named “Unparsed Event” is generated. The raw event appears 
in the event message field. 

If set to No, the SmartConnector log files indicate the unparsed events. 

Default is No 
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Name Field Value Field 

Preserve 

System 

Health 

Events 

(Yes | No) If set to yes, internal system health events are preserved. 

SmartConnectors generate system health events that provide information about the 
systems on which they are installed (for example, disk usage, network memory, 

JVM memory, percentage of processing of CPU memory usage, and so forth). By 
default, these events are not retained or passed on to ArcSight destinations and, 
therefore, not available for viewing. Setting this option to yes makes them available 
in the Console. 

Enable 

Device 

Status 

Monitoring (in 
miilisec) 

( <NumberOfMilliseconds> | -1 (disabled)) 

If set to a <NumberOfMilliseconds>, the selected SmartConnector generates 
internal events periodically 1 minute (60000 milliseconds) or greater with the status 
of the devices for which the connector is receiving normal events. These events 
have the name "Connector Device Status." 

Enabling periodic device status monitoring events helps monitor both the 
SmartConnector and device uptime. 

Device status monitoring events include this information, if available: 

• Event name (Connector Device Status) 

• Vendor and Product information 

• Source Address and Host Name 

• Zone 

• Last event received 

• Total number of events for the device since the connector started 

• Event count since last call 

Device status monitoring events can be set to generate every 1 minute (60000 
milliseconds), or less frequently (that is, a greater number of milliseconds than the 
minimum). 

If you specify less than 60000, you get a warning in the log that the minimum is 

60000 milliseconds (1 minute) and the system uses the minimum. 

If you enter a non-number in the field, it generates an error in the log that the value 
could not be parsed. In this case, the feature is disabled (and logged as such). 

In such cases, there is no indication on the Console that anything went wrong 
because there is no way for the Connector to convey that error. 
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Name Field 

Value Field 

Payload 

Sampling 

(when 

available) 

Some SmartConnectors use Payload sampling to send a portion of packet payload 
(as opposed to the complete payload) along with the original event. This portion is 
retrieved using the on-demand payload retrieval in the event inspector. 

Maximum 

Length 

You can configure the maximum length of the payload sample using the following 
values: 

• Discard 

• 128 bytes 

• 256 bytes 

• 512 bytes 

• 1 Kbyte 

When the Discard option is chosen, no payload sample is sent inside the original 
event. 

Mask Non- 

printable 

Characters 

This feature allows you to mask the non-printable characters in the payload sample. 


SmartConnector Processing Categories 

The following table shows the SmartConnector processing categories. 

SmartConnector Processing Categories 


SmartConnector 

Type Effects of Limited Usage 


Syslog 

connectors 

Due to the nature of UDP (user datagram protocol, the transport protocol used 
by Syslog), these connectors can potentially lose events if the configurable 
event rate is exceeded. This is because the connector delays processing to 
match the event rate configured, and while in this state, the UDP cache may fill 
and the operating system drop UDP messages. 

Caution: HP does not recommend using the Limit CPU Usage option with 
these connectors because of this possibility of event loss. 

SNMP 

connectors 

Similar to Syslog connectors, when the event rate is limited on SNMP 
connectors, they potentially lose events. SNMP is also UDP-based and has the 
same issues as Syslog. 
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SmartConnector Processing Categories, continued 


SmartConnector 

Type Effects of Limited Usage 

Database 

connectors 

Since connectors "follow" the database tables, limiting the event rate for 
database connectors can slow the operation of other connectors. The result can 
be an event backlog sufficient to delay the reporting of alerts by as much as 
minutes or hours. However, no events are lost, unless the database tables are 
truncated. After the event burst is over, the connector may eventually catch up 
with the database if the event rate does not exceed the configured limit. 

File connectors 

Similar to database connectors, file-based connectors "follow" files, so limiting 
their event rates also causes an event backlog. This can eventually force the 
connector to fall behind by as much as minutes or hours, depending on the 
actual event rate. Similarly, the connectors may catch up if the event rate does 
not exceed the configured rate. 

Proprietary API 
connectors 

These connectors' behavior depends on the particular API, (for example, 

OPSEC behaves differently than PostOffice and RDEP). But in most cases, 
there is no event loss unless the internal buffers and queues of the API 
implementation fill up. Therefore, these connectors work much like database or 
file connectors. 


SmartConnectorTime Interval Options 

This time interval applies to the Alternate Settings and it specifies when the alternate settings must be 
used by the SmartConnector. For example, if you want to cache the events during the day and send 
everything at night, you can configure the Transport Mode to cache in the default configuration and 
configure the Transport Mode to normal in the Alternate Settings, then you would set the time interval 
from 8PM to 8AM (next day). 


Inspect/Edit 


ri 1 

Event Inspector Connector: Nifty Replay Connect. . . | 

Connector | Networks! Default Alternate#! 

Notes | 


Content | Filters | 

Q 

Time Interval 




| From 

^8 PM 



1 To 

J.8 AM 


O ftaxhtog | 



Enable Batching (per event) 

100 



• “From:” Specifies the starting time to apply the Alternate settings. 

• “To:” Specifies the ending time for the Alternate settings, when it reverts to the default settings). If 
this is less than the From setting, the value is interpreted as the next day. For example, a setting 
from 8PM to 8AM is interpreted as starting at 8PM and ending at 8AM the following day. 

To save configuration changes to the SmartConnector, click OK. 
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Managing SmartConnector Filter Conditions 

SmartConnectors have built-in filters that function as a filtering tool between devices and the ArcSight 
Manager, using filtering conditions. Filtering conditions are set with a combination of AND or OR 
statements and data field values. Extra or unneeded events are filtered out to minimize the number of 
events sent to the ArcSight Manager and analyzed in the ArcSight Console. 


Adding SmartConnector Filter Conditions 

1. In the Navigator panel, choose the Connectors resource tree. 

2. In the Connectors resource tree, right-click a SmartConnector and choose Configure. 

3. Go to the Default > Filter tab. 

The Filters tab displays a lists the default filters for the SmartConnector. 

4. Select a filter for which you want to customize a condition. 

The Common Conditions Editor appears. 
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5. Right-click the event alias, eventl , and select New Condition. 

6. In the popup, select a data field from the drop-down menu and start defining your statement. For 
help with defining condition statements, see "Common Conditions Editor (CCE)" on page 864, 
especially "Condition Tree Command Buttons" on page 866 and "Condition Tree Context Menu 
Commands" on page 868.) 

7. Select a logical operator on the drop-down menu. See "Logical Operators" on page 999 for details. 

8. Enter a value in the last text field to complete the conditional statement. 

9. Click OK. 


Deleting SmartConnector Filter Conditions 

1. In the Navigator panel, choose the Connectors resource tree. 

2. In the Connectors resource tree, right-click the SmartConnector and choose Configure. 

3. In the Filtering section on the Advanced tab, right-click a condition and choose Delete condition. 
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Setting Special Severity Levels 

You can customize or conditionalize the event-severity levels reported by SmartConnectors. 
Customizing means pre-setting a given SmartConnector's filter to one specific severity level; 
conditionalizing is essentially the same, but with the addition of a filter condition to determine when the 
pre-set severity level is reported. 

To configure a custom or conditional severity level: 

1 . Choose the Connectors resource tree in the Navigator panel. 

2. In the Connectors resource tree, right-click the appropriate SmartConnector and choose 

Configure. 

3. In the Connector Configuration Editor, select the Connector: Default: Filters tab. 

4. In the Filters tab, select a severity level. 

5. In the Filter Condition dialog box choose a field, a logical operator, and enter a value for the 
condition. 


HP ESM (6.9.1c) 


Page 161 of 1106 



ArcSight Console User's Guide 
Chapter 5: Managing SmartConnectors 



6. Click OK in the Filter Condition dialog box and Apply or OK in the Connector Configuration 
Editor. 

In the example pictured here, we selected the “Very-High Severity” filter and defined a condition in 
which Category Significance contains “Hostile”. When this condition is met, the severity of the event 
becomes "Very-High." 

For more information, see "Managing SmartConnector Filter Conditions" on page 159. 
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Sending Model Mappings to SmartConnectors 

Updates to network model mappings are sent automatically from the ArcSight Manager to 
SmartConnectors within heartbeat messages. The heartbeat messages themselves are sent on an 
interval which can be anywhere from every 5 seconds to every 10 minutes, but network model 
mappings are included in the messages only when there are updates to the model. 

Note: The interval on which information is exchanged between the Manager and SmartConnectors 
is determined by the Heartbeat Frequency setting on each Connector. (See information on 
"Heartbeat Frequency" on page 146 in default content tab configuration fields under "Selecting and 
Setting SmartConnector Parameters" on page 140.) 

If you have made several configuration updates to the network model on the Manager and would like 
these changes to take effect immediately on the SmartConnectors without waiting for the next 
automatic refresh, you can use the following command to send the update information to a selected 
Connector. 

To send model mappings to SmartConnectors: 

1. In the Navigator panel, choose the Connectors resource tree. 

2. In the Connectors resource tree, right-click the SmartConnector you want to update and choose 

Send Model mappings now. 

This sends information about the current network model mappings from the Manager to the selected 
Connector. It forces a comprehensive refresh of the zone mappings and network model information on 
the Connector. 


Sending Control Commands to 
SmartConnectors 

From the Console, you can issue basic event-flow-control commands to SmartConnectors, get the 
operational status of a SmartConnector, or issue control commands to network devices through their 
SmartConnectors. This topic discusses the first two points. 

To author rule-driven device-command responses to events, see "Managing Rule Actions" on 
page 515. 


Getting Status Reports 

You can see a SmartConnector's current operational state at any time. 
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Where: Navigator > Resources > Connectors 

1 . Right-click the SmartConnector, choose Send Command>Status>Get Status. 

2. In the Connector Status window you can see a readout of all the connector's current parameters. 


Sending Standard Flow-Control Commands 

Note: Familiarize yourself with the effects of certain commands described in this topic. 

. Because there is no local cache, events that occur while a connector is stopped or paused are 
not retained. 

• If a SmartConnector runs out of disk space, it can lose its ability to track events. 

• The Terminate command should only be used in very special circumstances because it kills 
all SmartConnector processes. 

• See "Managing Rule Actions" on page 515 for a description of the rule-based automated 
alternative for giving SmartConnector commands. 


Where: Navigator > Resources > Connectors 

1 . Right-click the SmartConnector, choose Send Command, and one of the following menu options 
described below. 


Note: Commands available on this menu vary depending on which SmartConnectors you are 
using. The standard set of commands is described here. 


SmartConnector Status 


Category 

Command Descriptions 

Status 

Get Status 

Category 

Provides a full report on the selected SmartConnector's current operational state. 


Get Device Status 


Provides the status of the device that reports to the SmartConnector. (Currently 
only available for the CiscolDS/IPS SmartConnector.) 
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SmartConnector Status, continued 


Category Command Descriptions 

Connector 

Process 

Category 

Restart 

Stops, then restarts a running SmartConnector. 

Caution: After a connector is terminated, Console commands cannot access it. 
Therefore, a restart works only on a connector that is currently running. 


Terminate 

Shuts down the SmartConnector and all processes the SmartConnector started. 

Caution: Once a connector is terminated, Console commands (including 
Connector Process > Restart) cannot access it. The connector must be restarted 
manually from the machine on which it is installed. 

Event 

Flow 

Category 

Pause 

Stops the SmartConnector from sending events to the ArcSight Manager. 

Note: Events received from the target device are saved in the connector cache 
(even though the connector is in Pause state). 


Stop 

Stops the SmartConnector from sending events to the ArcSight Manager. 

Caution: A Stop command causes the SmartConnector to stop sending all 
events, which means it is not sending events to the connector cache, either. 


Start 

Prompts the SmartConnector (previously in Stop or Pause state) to start sending 
events to the ArcSight Manager. 

Network 

Category 

Flush Name Resolver Cache 

Clears cache for Network name resolver. 
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SmartConnector Status, continued 


Category Command Descriptions 

Upgrade 

Category 

Upgrade 

Launches a Command Parameters dialog for remote upgrade to newer versions of 
ArcSightSmartConnectors for managed assets. 

Provide the version number of the connector to which you want to upgrade and a 
wait time to verify that the upgrade completed successfully. (If the upgrade is not 
successful, the system performs an automatic rollback to the previous version of 
the connector.) 

Click OK to start the upgrade. 

See "Upgrading SmartConnectors" on page 175 for prerequisites for the upgrade 
process and detailed information on how to upgrade Connectors. 


Rollback Upgrade 

Launches a Command Parameters dialog for remote rollback of connector version 
to a specified previous version. See "Upgrading SmartConnectors" on page 175 

for complete information. 

Adjust 

Category 

Rename Mismatched Override Files 

Enables you to remotely rename an connector parser override file whose version 
stamp no longer matches the parser that it was intended to override. Renaming it 
appends “.1” (or 2, or 3, if earlier numbers are in use), which stops the file from 
being used. 

The first parameter is a regular expression you can specify to match specific 
override files (or blank, the default, for all). The second parameter is a boolean 
where true, the default, means restart the connecter if any files are renamed. 


The Console's status bar shows a confirmation message when the flow control option takes effect. 

Tech Support Commands 

Tech Support commands are provided for use primarily by HP Customer Support. Brief descriptions of 
these Tech Support commands are provided for informational purposes, but these commands are not 
intended for use by HPArcSight customers except as instructed by HP Customer Support. 

Tech Support Category Commands 


Command 

Description 

Get Support Info 

Gets logs and other feedback on connectors. 

Get 'agent, properties' 

Shows the list of properties for the selected connector. 
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Tech Support Category Commands, continued 


Command 

Description 

Get Upgrade Logs 

Gets upgrade logs on connectors. 

Get 'agent. wrapper.conf 

Shows the wrapper configuration for the selected connector. 

Get Configuration XML File 

Shows the XML configuration file for the selected connector. 

Get Thread Dump 

Gets one thread dump for the selected connector. 

Get Two Thread Dumps 

Gets two thread dumps for the selected connector spaced by 
the time interval specified. By comparing both thread dumps, 
HP Customer Support can troubleshoot connectors with 
threads that are hanging for unknown reasons. 

Get Heap Dump 

This generates a heap dump, if possible, which can be useful 
to ArcSight in some situations to analyze problems. The 
destination ID is used as part of the file name, the file is 
placed in the same directory as the connector's logs, and 
normally only 10 such files are kept. 

Get last N lines of 'agent.log' 

Shows an excerpt from the connector log file based on the 
number of lines you specify. The default is 500 lines. 

Get System Properties 

Shows system properties for the selected connector, 
including details on variables such as Java runtime name, 
Java virtual machine (VM) version, operating system name, 
paths for various Java components, paths for ArcSight 

Home, user directories, user home, and so forth. 

Enable Event Flow Tracing 

Allows you to specify a component and fields to log for 
initiating an event flow trace. Component and field names 
must be provided per appropriate syntax. The component 
should be chosen from the components listed in the Get 

Status results. 

Disable Event Flow Tracing 

Disables event flow tracing on the selected component. 

Get Event Flow Tracing Log 

When tracing is enabled on the selected connector, the 
connector logs data about events it receives. 

DNS Test 

This command takes one parameter, which is either a host 
name to resolve or an IP address to reverse resolve. This is 
useful to see what results would normally be expected for 
the name resolver component of the connector, since it uses 
the same mechanism to do the lookup as the name resolver 

uses. 

Enable Map File Logging 

Directs the AgentNATProcessor component, which 
processes map files for each event, to log what it is doing for 
each event. By default the last 100 events are logged. 
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Tech Support Category Commands, continued 


Command Description 

Disable Map File Logging 

Directs the AgentNATProcessorto stop logging. 

Get Collected Map File Logging 

Gets the collected log messages for the most recent events 
(100, by default), which may help debug problems with why a 
map file is not operating as expected. 


Mapping Commands 

The following commands provide access to SmartConnector component mapping and event 
categorization for advanced users. 


Mapping Commands 


Command 

Description 

Mapping Category 

Get Additional 

Data Names 

Returns a list of additional data names seen for each device vendor/product 
combination since the connector started running. For example: 

Additional Data Names Seen: 

Generic (no vendor/product) : 

testl [3 times] 

testll 

testl3 [2 times] 

Vendor/product [vend/prod]: 

testl 

testl0 [6 times] 

By default, the command limits the list to show only the most recent 100 device 
vendor/product combinations and the most recent 100 names for each. 

Tip: You can change this limit by editing the SmartConnector property 
agent. additionaldata. mapper. track. max. names in the file $ARCSIGHT_ 
HOME/ArcSightSmartAgents/current/user/agent/agent . properties on the 
machine where the connector is installed. In most cases we recommend keeping 
the defaults. If you change a property setting such as this, restart the connector. 

If a data name is not a string, its data type is displayed in the list. If the connector 
saw an additional data name more than once, the command output indicates the 
number of times the name was seen. 
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Mapping Commands, continued 


Command Description 


Map Additional Brings up a dialog where you can map an additional data name for the selected 
Data Name... connector. If you are using additional data, add the turbo. enabled=false 
property to the Manger’s server . properties file. 



For a generic mapping, you can leave the Device vendor and Device product 
fields blank. For a specific mapping, fill in these fields with the appropriate vendor 
and product names. 

Typically, the Additional data name is one of the names shown in the Get 
Additional Data Names output (but can be another name not on that list). 

The ArcSight field must be a valid ArcSight event field. 

Click OK to create the mapping. 

Here is an example of the command output for a successful generic mapping: 

Successfully mapped additional data name [testll] to event field 
[message] for vendor/product [] 

A successful device vendor/product-specific mapping returns output similar to this: 

Successfully mapped additional data name [testl0] to event field 
[message] for vendor/product [vend/prod] 

If the additional data name has not been seen, the name is still mapped, but with a 
warning like this: 

Successfully mapped additional data name [foo] to event field 
[deviceCustomStringl] for vendor/product [vend/prod] (note that 
additional data name [foo] has not been seen for vendor/product 
[vend/prod] ) 

If the ArcSight field is not valid, the error returned is similar to this: 

Failed to map additional data name [bar] to event field [messages] 
for vendor/product [vend/prod] (event field [messages] is unknown) 
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Mapping Commands, continued 


Command Description 


Unmap 

Additional Data 
Name... 


Device vendor 


Device product 


Additional data name 



Brings up a dialog where you can unmap an additional data name for the selected 
connector. 


Name 


Value 



OK 

Cancel 


To remove a generic mapping, you can leave the Device vendor and Device 
product fields blank. To remove a specific mapping, fill in these fields with the 
appropriate vendor and product names. The additional data name should be one 
that was previously mapped for the specified device vendor and product 
combination. 

Click OK to unmap the data name. 

Here is an example of the command output for a successful generic unmapping: 

Successfully unmapped additional data name [testll] for 
vendor/product [] 

A successful device vendor/product-specific unmapping returns output similar to 
this: 

Successfully unmapped additional data name [foo] for vendor/product 
[vend/prod] 

If the specified additional data name was not previously mapped, the output looks 
like this: 

Failed to unmap additional data name [foo] for vendor/product 
[vend/prod] (not previously mapped) 

Notes: 

. One additional data name can be mapped to more than one ArcSight field for 
the same device vendor/product combination, and in this case unmapping it 
unmaps it from all ArcSight fields for that device vendor/product. This is an 
unlikely scenario, however. 

. The converse case, where multiple additional data names are mapped to the 
same ArcSight field for the same device vendor/product combination, results in 
the last mapping taking precedence over any previous mappings to that 
ArcSight field for that device vendor/product. No warning is generated in this 
case. 

Categorizer mapper Category 
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Mapping Commands, continued 
Command Description 


Reload custom 
categorizations 

There are several ways to set event category information for events. The least 
common of these is to store custom categorization files (organized by vendor and 
product) on the connector machine in the 

user/agent/aup/acp/categorizer/current directory (or the 
user/agent/acp/categorizer/current directory) . 

If such categorization files exist and have been changed, this command reloads 
them without restarting the connector. 

Reload custom 
map files 

Rescans and reloads map files in the user/agent/map directory on the machine 
where the connector is installed. 

The map files are named in the form map. n. properties, where n is a number 
starting with 0. Use this command to immediately apply the latest changes. Not all 
connector setups include custom map files. 

Caution: Map files are created on some connector machines to fulfill specific 
needs. If you are not familiar with the categorizer/mapping setup of an 
environment, we recommend that you do not use these commands. 

Reload 
external map 
files 

Re-scans and reloads external map files in the user/agent/extmap directory on 
the machine where the connector is installed. 

The map files are named in the form extmap.n. properties, where n is a number 
starting with 0. Use this command to immediately apply the latest changes. Not all 
connector setups include custom external map files. 

Caution: External map files are created on some connector machines to fulfill 
specific needs. If you are not familiar with them, we recommend that you do not 
use Reload commands. 


Managing SmartConnector Groups 

You can best manage ArcSight SmartConnectors when you organize them into groups. You'll find all 
uncategorized SmartConnectors in the Unassigned group. 

You can move or copy groups and SmartConnectors into other groups in the Connectors resource tree 
by using drag-and-drop. If a group is deleted, the SmartConnectors within that group are also deleted. 

You should not delete a Connector resource at the ArcSight Console, unless the corresponding 
SmartConnector is first stopped. If the SmartConnector on the device is running and its Connector 
resource is deleted, the SmartConnector cannot send events to the ArcSight Manager, causing the 
SmartConnector to start caching events and eventually dropping these events. 

Where: Navigator > Connectors 

Tip: Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 
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To create a SmartConnector group: 

1 . Right-click a group and choose New Group. 

A "name" text field appears under the group you selected. 

2. In the "name" text field, type in a name. 

3. Press Enter. 

To rename a SmartConnector group: 

1 . Right-click a group and choose Rename. 

2. I n the "name" text field, rename the group. 

3. Press Enter. 

To edit a SmartConnector group: 

1 . Right-click a group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text field. 

3. Click OK. 

To move or copy a SmartConnector group: 

1 . N avigate to a group and drag and drop it into another group. 

2. Choose Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you choose Copy, you create a separate copy of the group that is not affected when the original 
group is edited. If you choose Link, you create a copy of the group that is linked to the original 
group. Therefore, if you edit a linked group, whether it be the original or the copy, all links are edited 
as well. When deleting linked groups, you can either delete the selected group or all linked groups. 

To delete a SmartConnector group: 

1 . Right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 


HP ESM (6.9.1c) 


Page 172 of 1106 



ArcSight Console User's Guide 
Chapter 5: Managing SmartConnectors 


Importing and Exporting SmartConnector 
Configurations 

You can import and export SmartConnector configurations as a means of sharing custom 
configurations among several connectors on the same or multiple Managers. Rather than redefining a 
complex configuration on each connector, you can export the configuration as an XML file and then 
import it into connectors that share some or all of its configuration settings. An override feature allows 
you to make changes to any of the parameter values upon import. 


Importing a SmartConnector Configuration 

1. In the Navigator panel, choose the Connectors resource tree. 

2. In the Connectors resource tree, right-click the SmartConnector into which you want to import a 
new configuration and choose Import Connector Configuration... 

This displays a file browser where you can select the file to import. 

3. I n the file browser, navigate to and select the . xml file that contains the connector configuration, 
and click Open. 


Tip: Save and import SmartConnector configurations as XML files. 


This displays a dialog showing original and proposed new configuration settings for the selected 
connector, with an option to override any of the proposed new values. (Click Show to show the 
details of the import or Hide to hide them.) 

a. This dialog shows original values for the selected connector configuration and new values 
applied upon import. You can override any of the settings you do not want to import by either 
keeping the parameter value in the original configuration or defining a new value. 

For example, you even can limit the import to only filters by keeping all values in the original 
configuration and choosing to override only the filter values with the imported values as is 
detailed in SmartConnector Filters. (Scroll down to the Filters section at the end of the Import 
dialog to see the filters.) 
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Before Import, the Import Connector Configuration dialog 
shows current value, new value, and override option for 
each aspect of SmartConnector configuration. 



You can accept all new values or override the Import by 
keeping some of the original values. 


V. 


When you are satisfied with the settings to import and overrides (if any), click OK to import the 
configuration. 

b. On the Import Connector Configuration dialog, review the import information and override any 
values that you do not want to import. 


Exporting a SmartConnector Configuration 

1. In the Navigator panel, choose the Connectors resource tree. 

2. In the Connectors resource tree, right-click the SmartConnector you want to export, and choose 

Export Connector Configuration As... 

This brings up a file browser where you can navigate to the location where you want to save the 
configuration as an XML file. 

3. In the file browser, navigate to and select the location where you want to save the configuration, 
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provide a name for the file, and click Save. 


Tip: SmartConnector configurations must be saved as XML files. 


SmartConnector Filters 

You can import and export only the filters associated with SmartConnectors as a part of an import or 
export on a SmartConnector. 

• To export a SmartConnector filter, export the connector that uses the filter (as described in the 
previous topic on exporting a SmartConnector configuration). 

• To import a SmartConnector filter into another connector, start by selecting in the Navigator the 
SmartConnector to which you want to add a new filter. Follow the steps to import the connector that 
includes the filter you want to import (as described in the topic on importing a SmartConnector 
configuration). On the Import Connector Configuration dialog, limit the import to only the filters you 
want by keeping all values in the original configuration and choosing to override only the filter values 
with the import. (Scroll down to the Filters section at the end of the Import dialog to see the 
SmartConnector Filters.) When you have the new, imported filter values selected to override those 
in the original connector, complete the import by clicking OK on the Import Connector Configuration 
dialog. This adds the imported filters to the original SmartConnector. 


Using Additional Data Fields 

Some devices include event data with data fields that are not included in the standard event data 
schema. You can configure your SmartConnector to send these fields as additional data. Refer to the 
FlexConnector Developer’s Guide, which is available at https://protect724.hp.com for information on 
configuring SmartConnectors to send additional data. 

You can view additional data fields in the Active channel ("Monitoring Active Channels" on page 210) 
and the Event Inspector ("Event Inspector" on page 988). 


Upgrading SmartConnectors 

You can centrally manage and configure SmartConnectors and update them remotely. Use the 
Upgrade command on the ArcSight Console to upgrade to newer versions of SmartConnector software 
for managed devices. Use the Rollback command to revert to a previous version on an upgraded 
connector. 

The Upgrade command lets you launch, manage, and review the status of upgrades for all 
SmartConnectors. A fail-over mechanism launches SmartConnectors with previous versions if 
upgrades fail. All communication and upgrade processes between components (Console, Manager, 
connectors) take place over secure connections. 

The ArcSight Console reflects current version information for all of your SmartConnectors. 
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Note: SmartConnector remote upgrade is supported for connectors installed on Linux and 
Windows platforms only. 


Overview of the Upgrade Process 

1 . As an ArcSight customer, you receive e-mail notifications about new connector releases from 
Customer Support. 

2. ArcSight administrators download the latest releases to the ArcSight Manager where they are 
available for SmartConnector upgrades. 

Tip: SmartConnector upgrade version files are delivered as ArcSight Update packs (.aup) 
files. (ArcSight update packs are compressed file sets, similarto. zips.) The administrator 
copies the . aup file to ARCSIGHT_HOME/ updates/ onto a running ArcSight Manager. The 
Manager automatically unzips the. aup file and copies its contents to ARCSIGHT_ 
HOME/repository/. 

3. From the ArcSight Console, administrators select connectors to be upgraded (one at a time) and 
launch the upgrade command for each of them. 

4. The selected connectors upgrade themselves, restart, and send upgrade results (success or 
failure) back to the ArcSight Console through the ArcSight Manager. The upgraded connector runs 
in the same home directory as the old connector. 

■ If the upgrade is successful, the new connector starts and reports on successful upgrade 
status. 

■ If the upgraded connector fails to start, the original connector restarts automatically as a fail- 
over measure. This is essentially an automatic rollback, and restart. 

£ 


Upgrade connector 
to new version. 

► 

<T] SmartConnector 
i X s ; 

Upgrade succeeded 
or failed. 



ArcSight 

Manager 



Tip: Tips on Monitoring SmartConnector Upgrade Status 
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SmartConnectors automatically determine their upgrade status when they start. 

o When a connector starts up, it determines whether it is upgraded. 

o If so, it waits for a configurable time interval for events from the monitored device to be 
processed. 

° If, after that time interval, events have been processed, the SmartConnector is deemed 
up and running. The ArcSight Console indicates that the upgrade for that connector is a 
success and the newer connector version is reflected. 


Additional notes on the SmartConnector upgrade procedure: 

• When upgrading SmartConnectors, be sure to download current versions of the connector 
Configuration Guides from the HP Software Support Online Web site 
(http://softwaresupport.hp.com). New or revised information is provided in these guides as 
appropriate per each release of SmartConnectors. To check version numbers on your current 
connectors, see "Getting Status and Versions on Installed SmartConnectors" on page 179. 

• You need administrative permissions to upgrade connectors. 

• Newerversions of the connectors you want must be available on the Manager to which you are 
connected. 

• The option for remote upgrade is available only on SmartConnectors of version 4.0.2.xxxx.0 or 
newer. Earlier versions of Connectors (or Agents) must be upgraded manually by installing a newer 
version of the connector. 

• As a prerequisite to upgrading connectors, both the ArcSight Manager and the connector must be 
running. 

• The Upgrade SmartConnectors command is available as one of several SmartConnector control 
commands. 


SmartConnector Upgrade Procedure 

1 . Choose the Connectors resource in the Navigator panel. 

2. In the Connectors resource tree, select the connectoryou want to upgrade, right-click to bring up 
the context menu, and choose Send Command > Upgrade > Upgrade. 

This launches a Command Parameters dialog. 

3. Provide the following information in the dialog. 
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■ Version - The Version field provides a drop-down menu showing the connector versions 
available on this Manager. Choose the Version number of the connector to which you want to 
upgrade. 

■ Event wait (sec) - N umber of seconds the upgrade process waits for the first event from the 
device after the new, upgraded connector is started. If no events are received from the device 
within the specified time frame, the upgrade is considered "failed" and the old connector is 
launched. 

This optional check is an additional safeguard against upgrade failures. For example, the 
connector binaries may have been upgraded successfully, but the new version may have 
problems communicating with the device. In that case, this check assumes that the upgrade 
failed and bring back the old connector. 

If the Event wait (sec) value is 0 (the default), then the upgrade does not perform this check. 

4. Click OK to close the dialog and start the upgrade. 

As the upgrade proceeds, the connector shows as down and then running again in the resource tree. 
Status messages on the ArcSight Console indicate whether the upgrade succeeds or fails. You can 
check the logs for the connector to determine if the upgrade succeeded. (Send Command > Tech 
Support > Get 'agent.properties' and Get Upgrade Logs.) 


Rolling back to a Previous Version 

• You need administrative permissions to roll back Connectors. 

• Rollback automatically reinstates the most recent version prior to the currently installed version. 
You cannot do a remote rollback on a connector to other than the previously installed version. 

• Check with HP Customer Support for ArcSight products on the SmartConnector version to which 
you can roll back. 

1 . Choose the Connectors resource in the Navigator panel. 

2. In the Connectors resource tree, select the connectoryou want to upgrade, right-click to bring up 
the context menu, and choose Send Command > Upgrade > Rollback. 

As the rollback proceeds, the connector shows as down and then running again in the resource tree. 
You can check the logs for the connector to determine if the rollback succeeded. (Send Command > 
Tech Support > Get 'agent. properties' and Get Upgrade Logs.) 


Troubleshooting 

If an upgrade or rollback fails, you can review the related logs. Choose Send Command > Tech 
Support > Get Upgrade Logs from the ArcSight Console menus. 
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You can also use the Send Logs wizard to collect and compress logs, which you can then attach to an 
email, if desired. 


Getting Status and Versions on Installed 
SmartConnectors 

Before or after you upgrade a SmartConnectors, you may want to check version numbers of currently 
installed connectors or get other status information. There are several ways to get information on 
currently installed connectors (including various control commands, channels, dashboards). Two of 
these are highlighted here as easy ways to get connector version information. 

To get status on a SmartConnector: 

1 . Choose the Connectors resource in the Navigator panel. 

2. In the Connectors resource tree, select the connectoryou want to upgrade, right-click to bring up 
the context menu, and choose Send Command > Status > Get Status. 

The Status information on a connector includes "Agent Version" near the top of the message window. 
Here is an example snip-it of the Get Status command results for a Test Alert connector, Version 
7.1.2.7396.0: 

Status Generated: Wed Mar 07 13:20:09 PST 2015 
Memory Usage: 65Mb out of 253Mb 

Agent Content Version 

Agent Type 

Agent Version 

CommandResponses Processed 

Current Max Rate 

Event rate LTC 

Events Processed 

To view SmartConnector Dashboards: 

Choose Dashboards from the Navigator panel, and expand the folders to find various dashboards. To 
view a dashboard, right-click it and choose Show Dashboard. 

You can find some these SmartConnector dashboards in /Dashboards/Shared/All 
Dashboards/ArcSight Administration/Connector/: 

• Connector and Device - Heads Up Display 

• Connector Status 


2015-03-01-09-02-05_7396 

testalertng 

7.1.2.7396.0 

1097 

22 

Wed Mar 07 13:18:42 PST 2015 

24003 


HP ESM (6.9.1c) 


Page 1 79 of 1 1 06 
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The following topics cover user management. 


Managing User Groups 180 

Managing Users 182 


Managing User Groups 

ESM user groups are designed to contain users with a common set of roles (seethe topic, "User 
Roles," in ESM 101) and permissions. ESM provides the following user groups: 


ESM User Group Types 


Group Description 

Administrators 

Associated with the administrator role with all privileges and permissions, including 
changing other groups' privileges and permissions 

Custom User 
Groups 

Minimum privileges and permissions, but administrator can modify. 

Default User 
Groups 

Further subdivided into subgroups that map to roles in the enterprise's security 
operations center (SOC). Each subgroup has a predefined set of privileges but 
administrator can modify. 

• Analyzer Administrators. Associated with the author role. Responsible for 
creating ESM content. 

• Operators. Associated with the operator role. Use content created by authors to 
monitor security-related activities. Handle and resolve cases as assigned. 

• Operators/Analyst. Associated with the business user role. 


Tip: If you belong to the Administrators group, you can view all groups and their associated 
permissions. Right-click a group and choose Edit ACL to open the ACL Editor for that group. Refer 

to Managing Permissions" on page 189. 

Where: Navigator > Resources > Users 
To create user groups: 

Caution: Do not exceed more than 10,000 resources in a group. 
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1 . Right-click a group and choose New Group. 

A name text field appears under the group you selected. 

2. In the name text field, type in a name. 

3 . Press Enter. 

4. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

To rename user groups: 

1 . Right-click a group and choose Rename. 

2. In the "name" text field, rename the group. 

3 . Press Enter. 

To edit user groups: 

1 . Right-click a group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text fields. 

3 . Click OK. 

To move or link (copy) user groups: 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 

1. Navigate to a group and drag and drop it into another group. 

2. Choose Move to move the group or Link to create a copy of the group that is linked to the original 
group. 

If you choose Link, you create a copy of the group that is linked to the original group. Therefore, if 
you edit a linked group, whether it is the original or the copy, all links are edited as well. When 
deleting linked groups, you can either delete the selected group or all linked groups. 

To delete user groups: 

If you delete a group, the users within that group are also deleted, unless they are also contained by 
other groups. 
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1 . Right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 

To set Console startup views: 

You can define the set of active channel and dashboard resource groups that members of a given 
ArcSight user group see by default when they first log in. This includes both ArcSight Console and 
Command Center users. These channels and dashboards are initial defaults only: once users begin 
changing the content of the Viewer panel, the ArcSight Console and Command Center follow their 
normal behavior of remembering the most recent state. 

The default active channels and dashboards you select for user groups are listed in the User Group 
Editor on the Startup Views tab. 

1 . Right-click a user group and choose Edit Group. 

2. In the User Group Editor, click the Startup Views tab, then the Active Channels or Dashboards 
tabs. 

3. In either resource tab, click Add to open a resource selector dialog box. 

4. Navigate to and select the appropriate active channels or dashboards to set as users' start-up 
resources, and click OK. Repeat this step to add more resources. 

5. Click Refresh to update the current list of resources, or click Remove to take a selected resource 
off the list. Click Edit to change a selected resource in its own editor. 

6. Click Apply to make changes and leave the editor open, or click OK to apply your changes and 
close the editor. 

The following topics include configuration instructions related to user groups: 

• "Managing Permissions" on page 189 

• "Managing Notifications" on page 203, specifically the topic, "Managing Notification Destinations" 
on page 205 


Managing Users 

You manage numbers of users by organizing them into groups based on roles or other logical groupings, 
setting their permissions and passwords, and enabling or disabling their login functionality. 

Permissions to access specific resources (for example, to create rules or reports) are granted to 
specific groups by editing the access control lists (ACLs) for those groups. 

When users log in, they are allowed to perform any operations for which they are granted permission 
through their membership in one or more groups. 
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When you create an ESM user, that person automatically receives access to a set of resource groups. 
Users can store, create, edit, or delete resources within their groups without jeopardizing other users' 
resources. 


Note: Some system operations, for example, audit event generations, are done on behalf of a 
special system user called 1ROOTUSER. When you are investigating event details, you might 
see a user ID with this value. This user ID is valid and intended for internal use only. 

See the following topics: 

• "Creating or Editing a User" below 

• "Resetting User Passwords" on page 186 

• "Moving or Linking a User" on page 186 

• "Deactivating and Reactivating a User" on page 186 

• "Deleting a User" on page 1 87 


Creating or Editing a User 

Where: Navigator > Resources > Users 

1. Locate the user group. 

2. If you are creating a user, right-click the group for this user based on the user's role (See 
"Managing User Groups" on page 180 for the group types) and choose New User. 

If you are editing a user, expand the group, right-click the user, choose Edit User. 

3. In the User Editor, fill in or edit these fields on the Attributes tab in the Login section: 
Login Attributes 


Fields 

Description 

User ID 

User name for login ID. This is a required field. 
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Login Attributes, continued 


Fields Description 

User 

Type 

Choose a user type from the drop-down menu. This is a required field. 

The currently supported user types are: 

■ Normal User: Has full privileges to use both the ArcSight Console and 

Command Center, and all tools. Only apply this user type to accounts that 
actually need access to the ArcSight Manager. 

■ Management Tool: Has only the privileges needed to run certain management 
tools used in conjunction with network management products. 

■ Forwarding Connector: Has only the privileges needed by the 
ForwardingConnector. 

■ Archive Utility: Has only the privileges needed to run the archive utility. 

Access to specific resources is controlled through ACLs. 

■ Connector Installer: A specialized identity used only to add SmartConnectors 
to the system. 

■ Web User: Has privileges to use the ArcSight Command Center but not the 
ArcSight Console or other tools. 

For more information, see "Users" on page 1067 and "UserTypes" on page 1068. 

Login 

Enabled 

■ Select the Login Enabled checkbox to give the user login privileges (a 
checkmark indicates this feature is on). 

■ Or leave it deselected and off (no checkmark showing) to disable logins for 
this user: 

Note: A user account login must be enabled to allow login access to the Console. 

External 

User ID 

Optionally, provide an alternate, external user ID. (An external user ID might be 
relevant if you have user accounts from other applications feeding into user 
database.) 
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Login Attributes, continued 


Fields 

Description 

Password 

Enter a password for this user. This is a required field. 


By default, passwords require a minimum of 6 characters, can contain a maximum 
of 20 characters, and can contain numbers, letters, ora combination. System 
administrators can set special policies or requirements for their sites through a 
configuration file. For information on password restrictions see the Administrator's 
Guide, chapter 2. "Configuration," "Managing Password Configuration," "Password 
Character Sets." 


You can modify passwords later. See "Resetting User Passwords" on the next 
page. 

Confirm 

Re-type the password to confirm it. This is a required field. 


4. Fill in or edit these fields on the Attributes tab in the User section: 
User Attributes 


Fields Description 

Last Name 

User's last name 

First Name 

User's first name 

Title 

User's job title 

Department 

User's department 

Phone 

User's phone number 

Fax 

User's fax number 

E-mail 

User's e-mail address. Use the format user@host. domain. The "@" sign and 
host domain are required. E-mail addresses are not case-sensitive. 

Pager 

User's pager number, if applicable. 


Note: For phone, fax, or pager numbers, parentheses (), dashes (-), and periods (.) are 
allowed. Alphabetic characters are not allowed. 

5. Optional: If you created commands to integrate with other applications, set the Integration 
Parameters attributes for the user if applicable. Refer to "Integration Commands " on page 623and 
"Setting User Login Parameters" on page 643 for instructions. 

6. Optional: To add information in the Notes tab, refer to 'Using Notes" on page 57. 
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Resetting User Passwords 

Administrators can reset user passwords; for example, if a user's original password has been 
compromised or you want to make users update their passwords. 

1 . While logged into the ArcSight Console as an administrator, choose the Users resource in the 
Navigator panel. 

2. Right-click the user whose password you want to reset and choose Reset Password. 

The ArcSight Manager assigns a new random password (8 characters, including numbers and letters) 
and sends it to the selected user's assigned e-mail address. 

Caution: Be aware that sending a password by e-mail can be dangerous since e-mails can be 
intercepted. 

Alternatively, use the following command on ArcSight Manager to reset a user’s password: 
arcsight nesetpwd 


Moving or Linking a User 

Where: Navigator > Resources > Users 

1 . N avigate to a user and drag and drop it into another group. 

2. Choose Move to move the user or Link to create a copy of the user that is linked to the original 
user. 

If you choose Link, you create a copy of the user that is linked to the original user. Therefore, if 
you edit a linked user, whether it is the original or the copy, all links are edited as well. When 
deleting linked users, you can either delete the selected user or all linked user copies. 


Deactivating and Reactivating a User 

A user is deactivated for the following reasons: 

• The ArcSight administrator manually clears the user’s Login Enabled checkbox. The administrator 
can also right-click and choose Delete User, then click the Disable Login button instead of 
Delete. 

• The user attempted to log in and failed three times. 

• The user has been inactive for 90 days. 
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Note: The 90-day period is set in the server . properties file through the 
auth. user, account, age property. This property is not dynamic. If you want to change the 
default number of days, refer to the topic on “Managing and Changing Properties File Settings” 
in the Administrator’s Guide. 


A deactivated user is denied access to ArcSight Console and ArcSight Command Center. On the 
Console, the icon associated with a deactivated user appears gray and the Login Enabled checkbox is 
cleared. 

Tip: When a user’s login is enabled or disabled, the audit event, User updated, is generated. 
However, the event does not indicate what type of update has occurred. The Enabled or Disabled 
information is stored in DeviceCustomString6 field. One way you can view this information is to 
add DeviceCustomString6 as a column to the System Events Last Hour channel. 

Where: Navigator > Resources > Users 

To reactivate a user: 

1 . Navigate to the deactivated user. 

2. Right-click and choose Edit User. 

3. Click Login Enabled. 

4. Click Apply. 

The user icon’s color is restored. 


Deleting a User 

By default, only users in the Administrators user group can delete users. As an administrator, you can 
also grant non-administrators permissions to delete users from within their own group. Refer to 

"Granting or Removing User Group Permissions" on page 193 for details. 

Where: Navigator > Resources > Users 

1 . Right-click the user and choose Delete User. 


Caution: A dialog confirms if you want to delete or disable the user’s login (deactive the user 
but keep the user definition in the database). Deleting a user means deleting all resources that 
user created: the user’s rules, lists, cases, and so on. Click More Information for a list of 
these resources. If you need these resources, copy them to another resource group before 
deleting the user. If you need more time, disable the login first to prevent unauthorized 
access. 
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2. In the dialog box, click Delete to delete the user and the listed user's resources or click Disable 
Login to disable the user. 
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The tasks of managing users is largely that of managing their access to and use of resources. 
Discussions on permissions include: 

• "Editing Access Control Lists (ACLs)" below 

• "Granting or Removing Resource Permissions" on the next page 

• "Granting or Removing Operations Permissions" on page 192 

• "Granting or Removing User Group Permissions" on page 193 

• "Adding or Removing Enforced Filters" on page 196 

• "Permissions for Sortable Field Sets " on page 198 

• "Sharing Resources" on page 199 

• "Controlling Who Has Permissions to Deploy Data Monitors" on page 200 


Editing Access Control Lists (ACLs) 

The user groups ACL Editor has these tabs for viewing or editing permissions on resources, operations, 
user groups, events, and sortable field sets: 

• Resources tab - Lists all resources available to the user group with either inspect or edit 
permissions, and lets you add/edit resource permissions. 

• Operations tab - Lists operations for which this user group has permissions, and lets you add and 
edit operations permissions. For example, a user group can have permissions to enable or disable 
data monitors. 

• User Groups tab - Lists the user groups with either inspect or edit access to the user group itself, 
and lets you add user groups. 

• Events tab - Lists event filters for which this group has permissions, and lets you add/edit event 
filter permissions. This user group is permitted to see only events from the filters listed on the 
Events tab. By default, custom user groups inherit their ACL settings forevents from the parent 
group. If the user group has no access to event filters, the behavior is as if the group’s specified 
filter in the ACL editor were Filters/Shared/All Filters/ ArcSight System/Core/No Events. 

• Sortable Field Sets tab- Lists sortable field sets for which this user group has permissions. Lets 
you add and edit field set permissions. 

See also "Access Control Lists" on page 783. 
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Caution: Always remember to have both ArcSight Console and ArcSight Command Center users 
log out and back in after changing user or resource access permissions, so they can see those 
changes. 

Tip: The Resource ACL display shows relationships between users and groups, and how 
permissions are acquired for each of the user groups. Child groups inherit permissions from parent 
groups. For example, consider the following scenario. 

• A user logged in as Administrator (belonging to the group /All Users/Administrators) has 
read and write permissions by virtue of being in the Administrators group. 

• All users have read permissions because they belong to the group /All Users/Default User 
Groups by default. 

• A user logged in as an Analyzer Administrator has both read and write permissions because 
they inherit read permissions from the parent group (/All Users/Default User Groups) and 
get write permissions per the Analyzer Administrators child group. 


Granting or Removing Resource Permissions 

Caution: Be sure to set permissions on resources and permissions on events 
appropriately for user groups. 

Preventing users from viewing groups of resources does not necessarily prevent those same 
users from viewing event data on those resources. 

Users with permissions to view certain events (determined by event filters as described here), can 
view all event fields for those particular events (in reports, query viewers, and so forth) even if they 
do not have permissions on some resources reflected in the event data. 

For example, a user with no read permissions on an asset could still have permissions to view 
event data related to the asset, and thereby have access to the data contained in the event fields 
(such as server name, IP address) in the context of that event. 

As a best practice, keep the above in mind when granting permissions on events. Otherwise, you 
might give some users a view into resource information through event data that you did not intend 
for them to see. 

Where: Navigator > Resources > Users 

1. Choose a user group. 

2. Right-click the user group and choose Edit Access Control. 

3. In the ACL Editor, choose the Resources tab. 
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The Resources tab lists all resources available to this user group with either inspect (Read) or edit 
(Write) permissions, and lets you add/edit resource permissions. Available resources are listed 
based on user permissions, so some might not show. 



4. Add or remove permissions on a resource for this user group as follows. 

■ To edit permissions on a resource shown in the current list, click the (R) read or (W) write 
checkbox next to a target resource to add or remove permissions on that resource. 

A checkmark means that this user group has access to the associated resource. A blank 
checkbox means this group does not have access to the resource. 


Tarqet Al 

R T w 

/All Active Channels 

0 LjL 


/All Active Lists 0 0« 


■ To add permissions for a resource not shown in the current list, select a resource from 
the Resource drop-down menu at the top of the Resources tab and click Add. 
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ACL Editor [/All Users/Default User Groups/Analyzer Administrators] ^ 


Resource: 


(«J Filter 


Set Permissions On... 

Resources | Operations | User Groups Events 


Add... 


] Sortable Field Sets 


The resource selector dialog for the chosen resource is displayed. Select the resources you 
want to add permissions for and click OK. 

The resource you added is listed as a target on the Resources tab and then you can edit its 
Read/Write permissions as needed. 

■ To remove a resource from the list (and remove all permissions on it for this group), select 
the resource in the list and click Delete. (The Delete button is at the bottom of the Resources 
tab). 

5. Click OK on the User Group ACL Editor to save changes to Resources permissions. 


Granting or Removing Operations Permissions 

Examples of operations are deleting cases, reading and writing fieldsets, and deploying data monitors, 
among others. Default user groups available in ESM have their own set of permissions to which they 
have permission, such as case deletion, and so on. Other operations, such as data monitor 
deployment, require explicit granting of permissions to user groups. (See also "Controlling Who Has 
Permissions to Deploy Data Monitors" on page 200.) 

Any new groups added under Custom User Group may not have any access to most operations. 
Administrators can allow or block users for operations permissions by setting permissions on a 
particular operation. 

Where: Navigator > Resources > Users 

1. Choose a group. 

2. Right-click the user group and choose Edit Access Control. 

3. In the ACL Editor, select the Operations tab. 

The operations for which this user group has permissions (if any) are listed. 

4. Add or remove user group permissions to perform an operation as follows. 

■ To add permissions to perform an operation not listed, click Add. 

In the Permissions Selector dialog, choose the operations (expand the nodes as required) you 
want to add permissions for and click OK. 
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Permissions Selector 



H E? Permissions 
B-10 Shared 

a-m All Permissions 
IB- rci ArcSight ConApp 
Gjt rm ArcSight Risk Insight 
B-[ Bl ArcSight System 
0 T" El Case Operations 

: B FB I I 

I ® rp. DataMonitor 
fflTCj Domain 
i a rp. Fieldset Operations 
; B r ei Peer Operations 
i S rBi Saved Search Operations 
i B nn Scheduled Search Operations 
| @ r Ei Search Filter Operations 
| B roi Search Operations 
| B r ei Summary Operations 
+ B3 Unassigned 


OK 


Cancel 


Help 


The list of Operations is updated to include the one you added. Operations listed are those this 
user group has permissions to perform. 

■ To remove permissions to perform an operation, select the operation in the list and click 
Delete. The Delete button is at the bottom of the Operations tab. 

5. Click OK on the User Group ACL Editor to save changes to Operations permissions. 


Granting or Removing User Group Permissions 

Where: Navigator > Resources > Users 

To grant permission to edit user groups: 

1. Choose a group. 

2. Right-click the user group and choose Edit Access Control. 

3. In the ACL Editor, choose the User Groups tab. 

The User Groups tab lists all user groups for which members of the selected group have inspect 
(Read) or edit (Write) permissions, and lets you add/edit group permissions. 
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Set Permissions On... 



Resources | Operations \ User Groups \ Events 

Sortable Field Sets j 


User Group 

R 

w | 

/All Users/Administrators 

0 

0 | 


Tip: This is where you grant or deny members of the group you are editing permissions to edit 
their own user groups. Depending on your own user permissions, some user groups may or 
may not be shown, and Read/Write checkbox options may or may not be editable. 


4. Add or remove permissions on a user group as follows. 

■ To edit permissions on a user group shown in the current list, click the (R) read or (W) 
write checkbox next to a target resource to add or remove edit permissions on that user group. 
A checkmark means that this user group can edit permissions on the associated group. A blank 
checkbox means this group does not have edit permissions on it. 



User Group 

'*- 1 | R | W | 

/All Users/Administrators 


0 0 | 


■ To add permissions on a user group not shown in the current list, click Add. 


j Event Inspector | ACL Editor [/All Users/Default User Groups/Operators/Analyst] 


Resource: 

\ii 

i ^ 1 


Set Permissions On... 




Resources \ Operations f' User Groups [ Events 

Sortable Field Sets 



User Group 


ta r 

w I 

/All Users/Administrators 


0 

0 | 


The resource selector dialog for the chosen resource is displayed. Select the groups you want to 
add permissions for and click OK. 
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The user group you added is now listed on the User Groups tab and then you can edit its 
Read/Write permissions as needed. 


User Group '*' 1 1 R W 

/All Users/Administrators 0 [✓] 

/All Users/Default User Groups/Operators/Analyst/Can Deploy Data Monitors 0 0 


■ To remove a usergroupfrom the list (and remove all edit permissions on it), select the user 
group in the list and click Delete. (The Delete button is at the bottom of the User Groups tab). 

5. Click OK on the User Group ACL Editor to save changes to User Group permissions. 

To grant non-administrators permission to delete users: 

By default, only administrators have permissions to delete users in a group. If you want to grant non- 
Administrator users permission to delete users within their group (Groupl used in this example), first 
provide Write access to the group by editing access to User Groups in the ACL Editor, as described in 
the previous procedure to grant permission to edit user groups. 

After following the instructions, verify Groupl 's ACL Editor in the User Groups tab. Groupl should 
appear on the list, as shown: 



Additional settings are required. One of them is setting a server property. The other setting is providing 
Write access to user Reports. This is because deleting users will also delete the resources they 
created, including query viewers, reports, and so on. Reports created by that user cannot be deleted 
unless delete permission for that user’s reports is also granted. The steps below provide instructions on 
the additional settings. 

1 . Read thoroughly the ESM Administrator’s Guide’s topic on Managing and Changing Properties 
File Settings. Inthe server, properties file, set the following property: 

user . allowmodification=true 

2. Restart the Manager. 

3. Log into the ArcSight Console as Administrator, and select the Users resource in the Navigator. 
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4. Select the group for non-administrators (Groupl as an example) who will be allowed to delete 
users in its own group. 

5. Right-click Groupl and choose Edit Access Control to display the ACL Editor. 

6. On the ACL Editor, click the Resources tab. 

7. Select Report in the Resource drop-down menu, and click Add to display the Reports Selector 
popup. 

8. In the Selector popup, select all users under Reports/Shared/Personal/ and select each user 
belonging to Groupl. Click OK. All users are shown as Resources targets. 

9. Click to set Read (R) and Write (W) permissions as desired. 

1 0. Click Apply or OK to save your changes. 

Members of Groupl , even if they are not administrators, can now log into the ArcSight Console and 
delete users in their own group. To delete users, refer to "Deleting a User" on page 187. 


Adding or Removing Enforced Filters 

This topic describes enforced filters that define what events a user group can view. By default, all new 
groups cannot view any events. If you view the Events tab on the ACL, the filter is shown as 

/All Filters/Arcsight System/Core/No Events 

After you add filters to this tab, they become the user group's enforced filters that override No Events, 
which will appear disabled. The filters you add can be ArcSight-provided filters or custom filters, based 
on individual groups’ requirements. 

These filters determine the events that are displayed to the user, for example, on the active channel. 
When a user creates a data monitor, events that passed the user's enforced filters are displayed on the 
data monitor. 


Tip: User groups are granted permissions to events by means of event filters enforced in groups. 
The enforced filters limit the types of events group members can access through the ArcSight 
Console. 

By default, members of the administrators group can view all events, as indicated by the 
Administrators group's enforced filter: /All Filters/ArcSight System/Core/All Events. 

For more information about filters in general, see "Filtering Events" on page 286. For more 
information about events, see "Events" on page 989 and "Event Categorization" on page 990. 

Where: Navigator > Resources > Users 
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1. Select a user group. 

2. Right-click the user group and select Edit Access Control. 

3. In the ACL Editor, select the Events tab. 

The default enforced filter is listed on the tab. 


Resource: 0 Filter 


Add... 


Set Permissions On... 


Resources Operations User Groups 

Events 

Sortable Field Sets 


Filter 



A.1 

/All Filters/ArcSight System/Core/No Events 


Caution: Be sure to set permissions on resources and permissions on events 
appropriately for user groups. 

Preventing users from viewing groups of resources does not necessarily prevent those same 
users from viewing event data on those resources. 

Users with permissions to view certain events (determined by event filters as described 
here), can view all event fields for those particular events (in reports, query viewers, and so 
forth) even if they do not have permissions on some resources reflected in the event data. 

For example, a user with no read permissions on an asset could still have permissions to view 
event data related to the asset, and thereby have access to the data contained in the event 
fields (such as server name, IP address) in the context of that event. 

As a best practice, keep the above in mind when granting permissions on events. Otherwise, 
you might give some users a view into resource information through event data that you did 
not intend for them to see. 


4. Add or remove user group permissions to view events as follows. 

■ To add permissions to view events captured by a filter not shown in the current list, click 

Add. 


] Event Inspector | ACL Editor [/All Users/Default User Groups/Operators/Analyst] 

Resource: 


a 


Add... 


Set Permissions On... 


I Resources [ Operations [ User Groups [ Events [ Sortable Field Sets 


On the Filters Selector dialog, choose the filters for events that the user group can view and 
click OK. 
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Filters Selector 


B IB Filters 

3 B admin's Filters 

i'fl ® Hostile Attempt 
F g Hostile Reconnaissance 
F g Hotiist 
G--B Shared 
B O All Filters 

Q O ArcSight Administration 
FH Q Connectors 
90 ESM 

H+O Configuration Changes 
9 O System Health 

Fsr 


r® ASM Events 
f~ @ ASM Load Overview 
©B Events 
ffi-B Resources 
III 





OK 


Cancel 


Help 


The list of enforced filters for the user group is updated to include the ones you added: 


Resources | Operations ] User Groups] Events 


Sortable Field Sets 


Filter Al 

/All Filters/ArcSight Administration/ESM/System Health/ArcSight Status Monitoring E... 
/All Filters/ArcSight Administration/ESM/System Health/Events/Audit/ArcSight Audit . . . 
/All Filters/ArcSight System/Core/No Events 
/All Filters/Personal/admin's Filters/Hotlist 


The default /No Events filter is disabled as you add enforced filters to the Events tab. 

■ To remove enforced filters (event filters for this user group), select a filter in the list and click 
Delete. The Delete button is at the bottom of the Events tab. You cannot delete the default /No 
Events filter. 

5. Click OK on the User Group ACL Editor to save changes to Operations permissions. 


Permissions for Sortable Field Sets 

ArcSight-provided sortable field sets are used to manage processes that come from all resources. To 
minimize the impact on performance, you are provided two pre-indexed field sets on which you can 
sort: 


• All Field Sets/ArcSight System/Sortable Field Sets/ 
Index 

• All Field Sets/ArcSight System/Sortable Field Sets/ 


Field Set 

Field Set 


Based on ARC_E_ET 

Based on ARC E MRT 


HP ESM (6.9.1c) 


Page 198 of 1106 



ArcSight Console User's Guide 
Chapter 7: Managing Permissions 


Index 


ACL Editor [/All Users/Administrators] 



These field sets are indexed for the event’s end time (ET) and Manager’s receipt time (MRT), 
respectively. For additional information, see 'Sortable Field Sets" on page 1047. 


Sharing Resources 

You can share your resources with other users by moving, copying, or linking your resource to or into 
another resource's Public group; for example, to share a filter you would move it into the Public Filters 
group in the Filters resource tree. 

To share a resource: 

1. In a resource tree, drag a resource and drop it into the Public group (this can be a single resource or 
a resource group). 

2. Choose Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you choose Copy, you create a separate copy of the resource that is not affected when the 
original resource is edited. If you choose Link, you create a copy of the resource that is linked to 
the original resource. Therefore, if you edit a linked resource, whether the original or the copy, all 
links are edited as well. When deleting linked resources, you can either delete the selected 
resource or all linked resources. 

You can also multiple-select resources with the Shift key, and drag-and-drop or keyboard copy- 
and-paste, to move, copy, or link them in another group. 


Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only 
one resource at a time. 
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Controlling Who Has Permissions to Deploy 
Data Monitors 

Data monitor deployment is controlled through User Access Control Lists (ACLs). Administrators can 
allow or block users for data monitor deployment permissions. 

Depending on the permissions associated with the user group to which they belong, users may or may 
not have options available on their ArcSight Consoles to Enable ( deploy ) or disable ( un-deploy ) data 
monitors. (See also "Enabling or Disabling a Data Monitor" on page 257.) 

Administrators (all users belonging to the Administrators user group) have permissions to deploy and 
undeploy data monitors. 

Administrators can grant permissions to deploy or disable data monitors for other non-Administrator 
through the Users resource Access Control Lists (ACLs) editor, as described in "Granting or Removing 
Operations Permissions" on page 192. As with user permissions for other resources, these are applied 
at a user group level. As an administrator, you can grant all users in a given group permission to deploy 
data monitors. After user groups are set up and appropriate permissions are applied to those groups, 
you can add new users to appropriate groups, and change access permissions for existing users by 
moving them in or out of various groups. If you want to allow or disallow a particular user the option to 
deploy data monitors, move the user in or out of a group that has that permission. 

Note: About Write and Deploy permissions 

Data monitor deployment is an all-or-nothing permission (it apples to all data monitors), while read 
and write permissions are specific to each data monitor. So, in some cases a user could have 
read-only access to one data monitor and read-write access to another. To deploy a data monitor, a 
user needs both deployment permissions and write permissions. Users with permissions to deploy 
data monitors can deploy only those data monitors for which they have write permissions. (Fields 
in the data monitor editor are grayed out for all users without write permission.) 


To configure data monitor deployment permissions: 

1 . If needed, set up one or more user groups for non-administrator users to whom you want to control 
permissions to deploy data monitors. For example, at the simplest level you might have a group for 
analysts and operators who are allowed to deploy data monitors and another for those you want to 
block from this option. 

See "Managing Users" on page 182 and "Managing User Groups" on page 180 for information on 
adding, deleting, and editing users and user groups. 

2. Follow the instructions provided in "Granting or Removing Operations Permissions" on page 192 

to grant or remove permission to deploy data monitors to a particular group. As a part of these 
instructions, you’ll select the Users resource in the navigator, right-click a group and choose Edit 
Access Control. 
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3. In the ACL Editor, click the Operations tab, and click Add. 

4. On the Permissions Selector, select Deploy under Permissions\Shared\All 
Permissions\ArcSight System\Data Monitor\ and click OK to save the settings and close the 
dialog. 

The list of Operations is updated to include deployment permissions on data monitors. 

Set Permissions On... 

Resources | Operations [ User Groups ( Events | Sortable Field Sets | 



To remove the permission for this group, select the permission and click Delete. 

5. Click OK on the ACL Editor to save your changes. 

For information on deploying or disabling data monitors, see "Enabling or Disabling a Data Monitor" on 
page 257. 

For more information on administrator tasks of working with user permissions and ACLs, see 

"Managing Permissions" on page 189. 


How Upgrades Affect Data Monitor Deploy 
Permissions 

Upon installation and deployment of a different version of software (for example, version or service 
pack upgrades), only administrators (admin users) keep permissions to deployand disable data 
monitors. Non-administrators users do not have deploy permissions on data monitors even if they had 
such permissions as part of the previous configuration. 

After upgrades, all users have access to already-deployed data monitors. But, initially, non-admin 
users do not have permissions to enable/disable data monitors, nor have access to new data monitors 
unless an administrator enables (deploys) these. 

To re-establish data monitor deployment permissions for non-administrators users after an upgrade, 
administrators can reconfigure fine-grained permissions. They can re-group users and perhaps link non- 
administrator users into existing or new groups with more permissions (like data monitor deployment), 
as described in "Controlling Who Has Permissions to Deploy Data Monitors" on the previous page. 


Deployment Permissions on Imported Data Monitors 

If a user without data monitor deploy permissions imports a data monitor that was archived in the 
enabled state, the import succeeds but the data monitor is disabled. After the import, the user do not 
have permissions to deploy the data monitor unless an administrator reconfigures permissions for that 
user. 
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If a user with data monitor deploy permissions imports a data monitor that was archived in the enabled 
state, the import succeeds and the data monitor keeps its enabled ( deployed) setting. After the import, 
this user can view the data monitor and re-set its deployment state as needed. 
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Notifications and their content are created using rules configured with the Send Notification rule action 
(see 'Rule Actions Reference" on page 520). 


Managing Received Notifications 

If the Notifications button in the ArcSight Console toolbar indicates that new notifications have arrived ( 
you click that button to open the Notifications tab in the Viewer panel. This is your central 
notification repository if you belong to the destination group configured to receive notifications on the 
Console (the notification group’s Destination Type is set to Console). 

You can open the Notifications manager at any time by clicking the toolbar button, even if no new 
notifications are present ( tl). 


To use the Notifications manager you first choose a category tab for the type of notification received. 


Notification 

Category 

Use 

Pending 

These are notifications that you have not yet handled (reassigned to one of the 
following categories). Pending notifications older than 24 hours are automatically 
refiled as Not Acknowledged. 

Undeliverable 

These are notifications that were not delivered. 

□ 


Acknowledged 

IB 

These are notifications to which you have replied. 

Not 

Acknowledged 

□ 

Pending notifications that go unacknowledged or unresolved for more than 24 hours 
are automatically refiled as Not Acknowledged. 

Resolved 

□ 

These are notifications for which you ora colleague have found a resolution and so 
have marked the notification accordingly. 

Informational 

O 

These are notifications that are provided for information purposes only and do not 
require resolution or intervention. 


The Informational tab includes a Delete button. If you no longer need an 
informational notification, select it and click Delete. 


HP ESM (6.9.1c) 


Page 203 of 1106 


ArcSight Console User's Guide 
Chapter 8: Managing Notifications 


Note: If you don't see notifications appearing, make sure your ArcSight user identity (not just your 
e-mail address) is set as a destination in the Notifications Editor. 

In a category, click Acknowledge to mark a selected notification as acknowledged. Click View Event 
to see the event that triggered a notification. Click Resolve to reclassify the notification as Resolved. 


For each category of notification there is a common set of columns of information concerning them. 


Notification 

Column Definition 

Priority 

This is the same priority set by the SmartConnector and modified by the current threat 
level formula (and seen in grid views), unless modified by the rule that triggered the 
notification. 

Triggering 

Event 

The event that caused the rule to trigger the notification. 

Notification 

Group 

The branch of the Notifications resource tree to which this destination belongs. 

Escalation 

Level 

The Escalation Level (and implied destinations) the notification has reached while 
waiting for resolution. 

Create Time 

The time at which the notification was created 


Note: Also note that you can set a severity threshold for notification pop-ups and sounds in 
ArcSight Console Preferences. 


Managing Notification Groups 

This topic describes how to handle the tasks required for managing notification groups. 
Caution: Do not exceed more than 10,000 resources in a group. 

To create notification groups: 

Note: As a user, you can create new groups under All Destinations, but not new subgroups 
under existing system-defined groups. 
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1 . On the Navigator panel drop-down menu, choose the Notification resource tree. 

2. In the Notification panel, right-click All Destinations and choose New Group. 

A "name" text field appears under the group you selected. 

3. In the "name" text field, type in a name. 

4. Press Enter. 

To rename notification groups: 

1. In the Notifications resource tree, right-click a group and choose Rename. 

2. In the "name" text field, rename the group. 

3. Press Enter. 

To edit notification groups: 

1. In the Notifications resource tree, right-click a group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text fields. 

3. Click OK. 

To delete notification groups: 

1. In the Notifications resource tree, right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 


Managing Notification Destinations 

Destinations are mapped to user groups, therefore, make sure the user group exists ("Managing User 
Groups" on page 180) for the destination you are creating. 

To create or edit destinations: 

1. In the Notification resource tree in the Navigator panel, right-click an escalation level (such as 

Level 1); 

2. If you are creating a destination, choose Add New Destination. 
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If you are editing a destination, right-click a notification destination and choose Edit Destination. 

For more information, see "Changing Notification and Acknowledgment Settings" on the next 
page. 

3. In the Notification Editor, enter a label for the notification in the Name field. 

4. Set a Start Time and End Time during the day within which the notification is to be active. The 
default is all day (12:00:00 AM to 1 1 :59:59 PM). 

5. Select a Destination Type and the related parameters for that type, as follows: 

■ For Console, additionally select a user or a user group. This displays the notification on the 
users’ ArcSight Console Uls. 

■ For Email Address, enter a valid email address and additionally select a user or user group. 

■ 

Note: Always set the ArcSight User/Group identity for all destination types. 

6. For User/Group, select the group from the resource selector popup. 

7. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

8. Click OK. 

To move or copy destinations: 

1. In the Notification resources tree, find a destination and drag it to a different escalation level. You 
can drag across groups if needed. 

2. Right-click the destination and choose Move to move it, Copy to make a separate copy, or Link to 
create a copy of the destination that is linked to the original destination. 

If you choose Copy, you create a separate copy of the destination that is not affected when the 
original destination is edited. If you choose Link, you create a copy of the destination that is linked 
to the original destination. Therefore, if you edit a linked destination, whether the original or the 
copy, all links are edited as well. When deleting linked destinations, you can either delete the 
selected destination or all linked destination copies. 

To delete destinations: 

1. In the Notification resource tree, right-click a notification destination and choose Delete 
Destination. 

2. In the dialog box, click Yes. 
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Changing Notification and Acknowledgment 
Settings 

Administrators can configure notifications, acknowledgments, and wait-time settings. The escalation 
time window or wait-time depends on the event's severity. 

Note: If notifications and acknowledgments were disabled during Manager setup, mail server 
settings made through the ArcSight Console do not take effect until you re-run the Manager 
configuration wizard to enable notifications and acknowledgments on the Manager side. 

To re-enable notifications settings, follow instructions in the ESM Administrator's Guide to: 

. Stop the ArcSight Console and Manager. 

. Re-run the Manager configuration wizard and enter settings for your SNMP server. 


To change e-mail settings: 

1. In the Notification resource tree, right-click a group and choose Settings, then Edit E-mail 
Settings. 

2. In the Notification Editor, type in the following text fields: 


Notification 

Fields Definition 

From 

Address 

The e-mail address from where the notification messages are sent. It is 
important that the "from address" specified is one that is not rejected by the 

SMTP server, since some SMTP servers reject unknown e-mail addresses. For 
notifications sent by cell phone, any cell phone must be e-mail enabled. 

Outgoing 

Mail Server 

The host name of the local outgoing mail server. This is the SMTP server 

ArcSight uses to send e-mail. The Outgoing Mail Server must be accessible from 
the ArcSight Manager for e-mail notifications to be sent. SMTP is used to send e- 
mail. An SMTP server must be configured either at install time or set here. 

Incoming 

Mail Server 

The local incoming mail server host name. 

Incoming 

Mail 

Protocol 

Select either IMAP or POP3 mail protocols. 
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Notification 

Fields Definition 

E-mail 

Account 

The e-mail account name. For notifications sent by e-mail, you need to add an 
address to the e-mail Address field. 

Account 

Password 

Enter the password for the account. 

Confirm 

Password 

Re-enter the same password to confirm. 


Note: POP3 and IMAP can be used to check for e-mail acknowledgments. You can specify 
these options at install time, or set them here. For acknowledgements, the relevant fields are 
"incoming mail server," which is the POP/IMAP server to specify to check e-mail, "incoming 
mail protocol," which is either POP3 or IMAP, "account" and "password," which are the login 
name and password to access the mailbox from the incoming mail server. Note that replying to 
mails from the notification "from address" should reach the mailbox accessible to the 
"account" login. 

3. Type the E-mail Account password in the Password text field and confirm it in the Confirm 
Password text field. 

4. Click OK. 

To change wait time settings: 

The default wait-time values for Very-High severity and High severity are set at 5 minutes, Medium is 
set for 30 minutes, and Low is set for 2 hours. 

1. In the Notification resource tree, right-click a group and choose Settings, then Edit Escalation 
Wait Time. 

2. In the Notification Editor, type in the wait time for the hour (Hr) and minute (Min) text fields for 

Very-High, High, Medium, or Low severity. 

3. Click OK. 


Testing Notification Groups and Destinations 

This topic describes how to test notification groups and destinations. 

To test group notifications: 

In the Notification resource tree, right-click a populated notification group and choose Test Group 
Notification. 
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A test notification message is sent to the notification destination. Test notifications are not sent to 
group notification destinations if the End Time has expired. For example, if you test group notification at 
6:00:00 PM and the End Time states 5:00:00 PM, a notification message is not sent to the group. 

To test destination notifications: 

In the Notification resource tree, right-click a notification destination and choose Test Destination 
Notification. 

A test notification message is sent to the notification device. Test notifications are not sent to 
notification destinations if the End Time has expired. For example, if you test a notification destination 
at 6:00:00 PM and the End Time states 5:00:00 PM, a notification message is not sent to the device. 


Managing Escalation Levels 

This topic describes how to handle the tasks required for managing escalation levels. 

To add an escalation level: 

In the Notifications resource tree, right-click a notification group and choose Add Escalation Level. 

New escalation levels are added in sequential order. If you want to add a level between two existing 
levels, add another level then move destinations accordingly. For example, if you have Level 1 and 
Level 2 and you want to add a level between them, add another level, Level 3. Then, move all 
destinations from Level 2 to the new Level 3. 

To delete an escalation level: 

1. In the Notifications resource tree, select the last escalation level in a notification group. 

Note: All destinations within this escalation level are also be deleted. If you want to save the 
destinations, make sure you move them to another level before deleting. 

2. Right-click the escalation level and choose Delete Escalation Level. 
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This topic describes how to monitor events coming from SmartConnectors using tools that are 
displayed in the Viewer panel. You can monitor events through a rich set of views, including active 
channel and grids, dashboard graphics and tables, and active lists, as described in the following topics: 


Monitoring Active Channels 

Active channels provide a streaming view of events coming into your system that can be viewed 
numerous ways using numerous types of filters and field sets. 


Using Views 

Views can vary in scope and scale, from broad to narrow, and from graphic to detailed, depending on 
how your enterprise is organized and monitored. 

To select a view: 

In the Viewer panel, click a tab at the top to choose an active channel by name. On a channel, you can 
select various instances of that channel (such as a grid view and bar chart of the same data) by clicking 
its tile or its tab at the bottom of the panel. 

Alternately, to advance quickly through each of the tabs in the Viewer panel, press Ctrl+Shift+N (next) 
or Ctrl+Shift+P (previous) to jump forward or backward. These keystrokes apply to any type of view in 
the Viewer panel. 

To change view layouts: 


You change individual view layouts with the Layout Selector menu available from the blue icon at the 
lower-right corner of the Viewer panel. Click this icon to choose: 


Layout 

Option Result 

Tab 

Fill the active channel display with the current view and make other open views 
selectable by tabs at the lower border. 

Tile Best Fit 

Display all views in the active channel as variously shaped tiles, giving each a 
proportional amount of space. 

Tile 

Horizontally 

Display all views in the active channel horizontally, giving each a proportional amount 
of space. 
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Layout 

Option 

Result 

Tile 

Vertically 

Display all views in the active channel vertically, giving each a proportional amount of 
space. 


To float a view: 

In the active channel's name tab, right-click and choose Float. 

To close one or all views: 

In the active channel's name tab, right-click and choose Close or Close All. 

To close an individual view Shift+click its name tab. You can also right-click a view name tab and 
choose Close from the popup menu. 

To close all views except the current one: 

In the active channel's name tab, right-click and choose Close All But Current. 


Viewing and Using Channels 

Viewing and using active channels include creating them, filtering them, customizing contents, 

changing presentation formats or layouts, and deleting them. 

Also, an action from a triggered rule can create a new active channel. 

Note: Press Enter to register edits made in editors and channel columns. 

To ensure that ESM registers a change you make to a field in editor and channel columns, press 

Enter before clicking Apply or OK. 

Viewing an Active Channel 

When viewing an active channel, keep the following in mind: 

• If a channel is open when Daylight Savings Time goes into or out of effect, the live channel will not 
reflect the correct start and end times until the channel is closed and re-opened. 

• If an active channel uses a filter that applies conditions to a list data type field, the active channel 
will include multiple rows for the same event or resource (for example, actors) channels. This 
behavior is expected. 
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To view an active channel: 

1 . Choose Active Channels in the Navigator. 

2. Right-click a channel and choose Show Active Channel. The selected channel is displayed in 
the Viewer. 

To view resources in active channels: 

In addition to events, active channels can also be on certain resources such as actors, assets, 
vulnerabilities, asset categories, scanner reports, cases, and stages. In the Navigator, right-click a 
resource or group, and choose Show <ResourceName>. The resources are displayed in an active 
channel view. 

Using slightly different menu options, you can view the results of triggered Rules in channels as well. 
(For information on creating active channels for Rules, see "Verifying Rules with Events" on page 532.) 

You can also create active channels from filters. In the Filters resource tree, right-click a filter and 
choose Create Channel with Filter. Many resources that have filters also provide this option. For 
example, you can right-click Connectors in the Navigator, and choose Create Channel with Filter to 
create a channel with the filter used by that connector. You can do the same with Assets 
(Vulnerabilities, Zones, Categories, Assets), Cases, and Stages. (For Cases, choose Case Details 
Channel as described in "Working with Events in Cases" on page 609. The case must include some 
events.) 

Sorting Events in an Active Channel 

The names of sortable fields in column headers are indicated with a double-arrow icon ^ . If a field is 
already sorted, an up t or down i_ arrow indicates the direction of the sort. 

Note: You might experience performance problems when sorting columns in an active channel. 

Some columns are resource-intensive to sort, such as string fields containing 1000 characters. 
Consider using query viewers instead, where you have the option to group and order fields. 

See "Best Practices to Optimize Channel Performance" on page 220 for additional information. 


To sort events in an active channel: 

• To sort the list by a column, right-click overthe column and select Sort Column. 

• To reverse the sort order, select Sort Column again on an already-sorted column. This makes the 
column the primary sort column. 

• To remove a sort, right-click over a sorted column and select Remove Sort. 

For more information, see "Applying a Field Set to an Active Channel" on page 216 and "Sorting 
Columns in Grid Views" on page 1 048. For information about how to create field sets that use sortable 
field sets, see "Creating and Using Field Sets" on page 546. 
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Primary and Secondary Sort Columns 

When you sort a column, it becomes the primary sort column and the number 1 appears next to the sort 
arrow. The previous column by which the report was sorted becomes the secondary sort column and 
the number 2 appears next to the sort arrow. 

This numbering applies to every column on which you sort: the newest sort is always 1 and the others 
change accordingly. 

Sorting by Primary and Secondary Time Columns 

When your primary and secondary sort columns are both time columns (such as Create Time and 
Modification Time), milliseconds become a factor in sort order. 

Milliseconds are not displayed. This can create a situation where a number of items with the same 
primary time appear to show the secondary sort as in the wrong order. In reality the primary times are 
off by milliseconds, so they are not the same, and these milliseconds affect sort order before the 
secondary time is taken into account. 

Creating or Editing an Active Channel 

Where: Navigator > Resources > Active Channels 

To create or edit an active channel: 

1 . Locate an active channel group. 

2. If you are creating an active channel, choose New Active Channel. 

If you are editing an active channel, expand the group, right-click an active channel, and choose 

Edit Active Channel. 

3. Set these options: 
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Active Channel Attributes 


Attribute 

Usage 

Start Time 

The relative or absolute time reference that begins the period to track events in 
the channel. Edit the time expression, choose a common expression from the 
drop-down menu, or click the Selector button to choose an absolute date and 
time value. See "Timestamp Variables" on page 1065 for more options. 

Note: If a channel is open when Daylight Savings Time starts or ends, it does not 
show the correct start time until you restart it. 

You can change the default start time for new channels by editing the 
console, properties file in the <ArcSight_Console_HOME>/ current/config 
directory. For example, add the this line... 

console. channel. newChannel.defaultSubtractTime="$Now - 2h" 

... to change the start time to two hours ago. Fora list of possible time values see 
the Start Time: field pull-down menu. 

End Time 

The relative or absolute time that ends the period to actively track the events in 
the channel. Edit the time expression, choose a common expression from the 
drop-down menu, or click the Selector button to choose an absolute date/time 
value. See "Timestamp Variables" on page 1065 for more options. 

Notes: 

■ If a channel is open when Daylight Savings Time starts/ends, the live channel 
does not show the correct start time until you restart it. 

■ If setting the End Time results in the message “Invalid end date for sliding 
channel,” the channel is set to Continuously evaluate instead of Evaluate 
once at attach time. Either re-set the End Time or change the Time 
Parameters option for the channel to Continuously evaluate. 

■ Avoid creating active channels that query more than once day. For active 
channels that query more than once day, use Evaluate time parameters 
once at attach time instead of Continuously evaluate. Better yet, use 
trends for these types of active channels. See also 'Best Practices to 

Optimize Channel Performance" on page 220. 

Use as 
Timestamp 

Choose the event-timing phase that best supports your analysis. End Time 
represents the time the event ended, as reported by the device. Manager 

Receipt Time is the event's recorded arrival time at the ArcSight Manager. 
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Active Channel Attributes, continued 


Attribute Usage 

Time 

Parameters 

Choose whether the channel will Continuously evaluate to show events that are 
qualified by Start and End times which are re-evaluated constantly while the 
channel is running, or Evaluate once at attach time to show only the events that 
qualify when the channel is first run. 

A channel set to Continuously evaluate is also known as a sliding channel, 
and typically has its End Time option set to $Now. 

Default 

Field Set 

Choose an existing event field set for the events processed through the channel. 
The default field set is for users who view a channel for the first time. If no default 
is specified, the ArcSight system default is used. When a user closes a channel, 
ArcSight saves the field set (and all other console settings) to the user’s . ast file. 

After a user has opened a channel once, the console does not use the default field 
set for that user again. Changing the default only affects other users who have 
never opened the channel before. 


4. Click the Examples button to see how to specify commonly used channel values. 

Entering data in the Common and Assign sections is optional, depending on how your environment 
is configured. For information about the Common and Assign attributes sections, as well as the 
read-only attribute fields in Parent Groups and Creation Information, see Common Resource 
Attribute Fields" on page 685. 

5. Click the Filter tab to edit the channel's filter condition as described in "Creating Filters" on 
page 286. 

6. Click the Sort Fields tab to explicitly set which fields to sort the channel on in grid views, the sort 
order for those fields, and whether sorting for each field is ascending (A to Z) or descending (Z to 
A). 

7. Click the Local Variables tab to use ArcSight local variables with the channel's filters. 

Tip: You can create local variables, which are only available to the resource you are creating 
(in this case, an active channel), or use global variables. For information on creating global 
variables, see "Creating Filters" on page 286 and "Global Variables" on page 555. 

8. Optional: To add information in the Notes tab, refer to "Using Notes" on page 57. 

9 . Click OK to save the channel and to open and run it in the Viewer panel. 
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Applying a Field Set to an Active Channel 

To apply a field set to an active channel: 

1 . Right-click over any field header and choose Field Sets >Select Field Set to open the Field Sets 
Selector dialog. 

2. In the Field Sets Selector dialog, select afield set and click OK. Domain field sets apply to Oracle- 
based ESM. 



The active channel is displayed with the selected field set. 


Note: About ArcSight System Sortable Field Sets 

The Sortable Field Sets under ArcSight System are not available for selecting in active 
channels. The ArcSight System sortable field sets are a special set marked for internal use to 
provide the sortable functionality and maintain consistency between the Console user 
interface, field sets, and database indexes. 

For more information about sorting, see "Sorting Events in an Active Channel" on page 212. 


See "Variable Availability and Contexts" on page 1092 for information about using variables in active 
channels. 

Using an Active Channel Header 

Each active channel has a header section with several features you can use to understand and 
manipulate what the channel displays. 
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Name Priority Indicators Total Minimize/ 

Maximize 


® S*«tm Evwia IMt 



Active Channel Header Features 


Feature Usage 

Name 

and Total 

The top line of the header shows the channel's name and how many events it contains. 
You can also use the Minimize or Maximize button at the right end to close or open the 
header. 

Note: The event count function on Active Channels only reports live events, not replay 
events. If you prefer to see a count of all events coming through during a particular 
period, you should create a query viewer or report. If you want a count of only replay 
events, the event count in a replay channel will provide an accurate count of all replay 
events within a specific time window. 

Priority 

Indicators 

On the right border of the header is a column of event-priority statistic indicators. The 
numbers beside the Priority categories are the number of events in those categories. 

Click these indicators to filter the channel to show only the selected priority. 

Time 

Span 

The Start Time and End Time show the chronological range of the channel. 

Filter 

status 

This describes the filter that limits what the channel shows. Click a filter status name, 
such as <No Filter>, to open the Active Channel Editor and its Filters tab, where you 
can add, edit, or delete contents as described in "Creating Filters" on page 286. You can 
also right-click the current filter status and choose to edit, save, or remove it. 

Radar 

display 

button 

Close or open the display with the Minimize or Maximize button at the right end of the 
Filter line. 

Radar 

display 

operation 

Click, Shift+click, Ctrl+click, or drag to select bars in the display. You can also drag a 
selection's borders left or right. The grid then shows just the events the selection 
represents. 

The display shows “This channel is active but temporarily empty” at any time, no matter 
how briefly, if there are no qualifying events. This also might show when a channel first 
opens. 
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Filtering an Active Channel 

You can filter active channels through the Filter tab of the Active Channel Editor or inline using the 
blank fields in the top row of each grid view. Right-click the filter name in the header and choose Edit 
Filter to open the editor and create a filter as described in "Creating Filters" on page 286. To use inline 
filters, see "Filtering Active Channels with Inline Filters " on page 234. 

Tip: Understanding how to use the Common Conditions Editor (CCE) is integral to creating and 
editing filters. See "Common Conditions Editor (CCE)" on page 864 for more information. 

Defining Grid Fields Options 

In the New Active Channel dialog box you can choose from the Select a Field Set menu, or you can 
click the Define button to open the Define Grid Fields dialog box. See "Creating and Using Field Sets" 
on page 546 for more information. To change these choices after creating a channel, use the steps 
described in "Customizing Columns" on page 236. 


Grid Field Options 


Option Usage 

Fields 

A name for the set 

Available 

Fields 

Select the event fields (also called data fields or attributes) that you want the channel to 
process. As you make selections, they appear in the Fields to Show list at the right. 
Remember that not all fields are readily sortable. 

Fields to 

Show 

This list shows the selections you have made in the Available Fields list. The order you 
give to the fields in this list becomes their default presentation order in grid views. Once 
populated, you can select one or more fields (Shift+click and Ctrl+click apply) to 
rearrange with the Move Up, Move Down, and Remove buttons. 

Move 

Up, 

Move 

Down, 

Remove 

buttons 

These buttons move or remove the fields you select in the Fields to Show list. The 
order you set becomes the presentation order in grid views. 

Sort First 

By 

After selecting and ordering fields, you establish their sorting order (also called their 
group by order). Use Sort First By to set the ascending (A to Z) or descending (Z to A) 
order of the first or most-significant column. 

Then By 

Use the first Then By sort-order field to set the second sorting order. Use the second 
Then By sort-order field to set the third sorting order. 

More, 

Less 

buttons 

Click More if you need an additional Then By field. Click Less to remove one. 
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Saving Copies of Active Channels and Filters 

You can save copies of active channels or their filters to modify them later. This is useful to retain an 
original channel or filter as is, but use a copy of it fora new resource. 

To save a copy of an active channel under a new name: 

1. Right-click the filter name in the header, and choose Save Active Channel As. 

This opens the Active Channels Selector dialog, which shows the Active Channels resource tree. 

2. Navigate to where you want to save the channel, enter a new name for it, and click OK. 

You can use a copy of the filter for an active channel independently, or as a basis for other filters. Right- 
click the filter name in the header, and choose Save Filter. This opens the Filter Selector dialog, which 
shows the Filters resource tree. Navigate to where you want to save the filter, enter a new name for it, 
and click OK. 

Discovering Patterns in an Active Channel 

Right-click the channel in the Navigator panel's Active Channels resource tree and choose Discover 
Patterns. ESM takes a snapshot of the channel's current contents and examines it for patterns. You 
see the snapshot in the Viewer panel and the profile that generated the pattern appears in your personal 
folder in the Navigator panel's Pattern Discovery resource tree. For more information, see "Pattern 
Discovery" on page 710. 

Deleting an Active Channel 

Right-click the channel in the Navigator panel's Active Channels resource tree and choose Delete 
Active Channel. 

Adding a View Format 

To add another type of presentation (view) for the data in an active channel, click the View Type icon in 
the lower-right corner of the Viewer panel. Choose among grids and the various types of chart or 
graphic views. 

Changing View Layouts 

To change the visual arrangement of individual channels within a view container, such as data monitors 
within a dashboard, click the Layout icon and choose to show or arrange the views by Tab, or Tile 
Best Fit, Tile Horizontally, or Tile Vertically. 
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Best Practices to Optimize Channel Performance 

This topic compares active channels, reports, query viewers, and trends in terms of goals and optimal 
resources for various use cases. 

Active Channels or Reports? 

Active channels are the better choice if you would rather see results streaming in as the queries 
proceed, rather than wait for the results to appear in one view in a report. 

However, if speed of results is your goal, you might want to run a report instead. The total completion 
time of an equivalent report would be faster than the total time it takes for the channel to load 100%. 
This is because the active channel runs multiple smaller queries instead of one large query to display 
initial results quicker. 

See also "Building Queries" on page 301, "Building Trends" on page 427, and "Understanding the 
Reporting Workflow" on page 371; and “Query and Trend Performance Tuning” in the ESM 
Administrator’s Guide. 

Active Channels or Query Viewers? 

"Query Viewers" on page 323 behave more like reports in that they issue a single query against the 
database and return all results in one batch instead of the streaming progression of results from an 
active channel. Query viewers are most suitable if you have to slice and dice these query results 
further, for example, by changing the sort columns, changing types of charts/grid, and so on. These 
operations are performed on the client side with the results of the already-executed query. If you were 
using active channels instead, these types of changes would result in a re-running the query as many 
times as you sort columns. 

See also "Query Viewers" on page 323. 

Active Channel Query Time Ranges 

Take note of the query time range in your active channels. The more hours you are querying, the slower 
the results are to load. An active channel shows results in minutes if you are querying a few hours of 
data. But the channel might start taking several hours to query larger time ranges that span more than 
24 hours of data. 

If you are querying over more than a day's worth of data, we recommend running a report (using queries 
and trends) or a query viewer instead of using an active channel. 

Active Channel Filters 

The more filter conditions you define in an active channel, the more work the channel has to do in the 
database to evaluate the conditions. A channel that does not have any filter conditions loads data 
fastest. (This does not mean that the query will run on all events in the database. Only a subset of 
events are queried, based upon the page you are looking at in the channel.) 
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If you must use a filter, try to make the filter as restrictive as possible. 

Filtering on Indexed Fields 

In the CORR-Engine, all fields are indexed. There may be search features that can only search a 
subset of fields, such as query viewer or active channel events, but there are no restrictions based on 
indexing, since all fields are indexed. 

Filtering on Join Fields 

The ESM event schema consists of a main arc_event table and several other tables. These other 
tables hold fields related to Annotation, Device fields, Agent fields, Resource References, and soon. If 
your query has a filter condition on a join field, the resulting channel would have to do more work to 
evaluate the field. 

Continuously Updating Time Parameters 

A channel that is “live” (querying against a moving time window and continuously updating the query 
time ranges) has to do more work than a channel based on fixed time windows. Performance will be 
better and faster on a channel with a fixed time window than on a live channel. See also 'Use of the 
“Live” Channel from Standard Content" for a similar example. 

End Time or Manager Receipt Time 

Using End T ime as the time field in your active channel is faster than using Manager Receipt Time. 

This is because End T ime is used in the database as the partitioning key, so queries based on it query 
a smaller number of partitions. 

Avoid creating channels that are based on one time field but sorted on a different time field. A common 
cause of poor channel performance is user-created channels with this configuration; that is, a channel 
based on End Time, but sorted on Manager Receipt Time (or the reverse). 

Note: When an event arrives at the Manager so late, that is, beyond its retention period, the 
Manager adjusts the event's time range so that the event is persisted in the second-to-oldest 
retained partition. The event is stored in the second-to-oldest partition because the oldest partition 
may be purged or archived anytime (such as during the data transfer). 

This behavior changes the event start and end times, which could cause correlation issues, but the 
chances of an event being delayed for longer than the retention period are low. 


Sorting in Active Channels 

By default, the channel has a sort order based upon the time field that was used for creating the channel 
(End Time orManager Receipt Time). Note that the sorting operation is done in the database query, 
so every time you change sort by on any column in your open active channel, ESM has to re-create the 
complete channel. 
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The sorting operation can be resource-intensive, especially when millions of events match yourfilter 
conditions. Avoid sorting if your filter conditions are not restrictive. For example, the base channel with 
no filter conditions is normally fastest to load, but it would become the slowest to load if you change its 
default time based sort order. 


Tip: You can use a query viewer instead, that does sorting on the client side with the data it has 
already queried. 


Use of the “Live” Channel from Standard Content 

If you are using /All Active Channels/ArcSight System/Core/Live orany similar channel, be 
aware that the performance of that channel is slower because it has several complex joins (Joins with 
Annotations, Resource Reference, Device), and performs additional bit-wise operations to evaluate its 
filter conditions. Depending upon your specific use-case, you can simplify and create your own “Live” 
channel that is more efficient. 

Case Sensitive or Case-Insensitive Conditions? 

Wherever possible, use case-sensitive conditions. That will save the extra computation needed for 
TOUPPER operation required for case-insensitive matches. 

I/O Subsystem Performance 

Channel query performance is typically limited by the performance of the I/O subsystem on the 
database. The more events you are inserting, the more load it would cause on the I/O. SAN 
performance, RAID levels, I/O caches, and so on play a role in how much performance we can obtain. 

Diagnostics: Start with Basic Channel Characteristics 

To diagnose channel performance issues, start with the most basic active channel to see whether it 
meets your performance needs, and then keep refining/expanding to come to a point where you can tell 
what change is affecting performance. We recommend starting with the most basic active channel that 
has the following characteristics: 

• Based upon End Time 

• No filter conditions (also, make sure to run as an administrator user so that there is no access 
control filter) 

• Query time is two hours ago to Now 

• No continuous updates of time parameters 

With the above basic active channel, you should see less than a minute wait in starting the channel and 
doing random scrolls in the channel. 
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Investigating Views 

This topic explains how to use the Console's Investigate command to refine and explore channels 
contextually, using attributes of the events already being displayed in grid views. 

The Investigate command uses these attributes, and the values found in their events, to automatically 
formulate simple filters or conditions. 

When you create or refine a filter through Investigate, the Viewer panel automatically opens a new view 
of the channel with the filter applied. You explore the filter's effect in this view. You can keep the view 
by saving the channel under a new name, or discarding it by right-clicking in the grid and choosing 

Close. 

Following is a temporary view created with the Investigate command: 



When you use Investigate to add a condition to a resource editor such as Rules or Filters, the condition 
appears in the editor panel where you can modify it or click Apply to put it into effect. 

The new or modified views you generate with the Investigate command can be grids, or you can 
choose to display them in applicable chart formats using the Viewer Selector icon in the lower-right 
corner of the Viewer panel. 

To learn more about the event attributes these options use, see "Data Fields" on page 885. 

Using an Event Attribute to Show a New Filtered View 

These options completely control the new view created, ignoring the filter in the original view. You most 
often use them to test and explore. 
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In a grid view, right-click an attribute (column) in an event listing and choose Investigate, followed by 
one of these options: 


Investigate Options 


Option Use 

Create Filter 
[Attribute= Value] 

Show only those events in which the selected attribute matches the value in the 
selected event. 

Create Filter 
[Attribute!=Value] 

Show only those events in which the selected attribute does not match the value 
in the selected event. 

Create Filter [List 
of Related 
Attributes=Value, 
!=Value] 

When the selected attribute is of a type that has related attributes, choose to 
show only those events that do (or do not) match one of the related attributes on 
the additional menu. Generally, attributes are considered related if they share a 
common focus such as IP addresses. 


Refining a Filter with an Event Attribute 

These options open a new view that uses aversion of the prior filter modified to include the new filter 
component just selected. You usually apply these as part of a filter-refinement process. 


In a grid view, right-click an attribute (column) in an event listing and choose Investigate, followed by 
one of these options: 


Option Use 

Add 

[Attribute= Value] 
to Filter 

Show only those events that match both the prior and new filter elements. 

Add 

[Attribute!=Value] 
to Filter 

Show only those events that do not match both the prior and new filter elements. 

Add to Filter [List 
of Related 
Attributes=Value, 
!=Value] 

When the selected attribute type has related attributes, choose to show only 
those events that do (or do not) match one of the related attributes on the 
additional menu. This filtering element is applied in addition to any other already 
present. Generally, attributes are considered related if they share a common 
focus such as IP addresses. 


Adding an Event Attribute to a Filtering Condition 

The Add condition to editor options apply to the editor in the Inspect/Edit panel that currently has 
focus. If no editor is open, the default target is the Filters Editor. 

In a grid view, right-click an attribute (column) in an event listing and choose Investigate, followed by 
one of these options: 
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Option Use 

Add Condition 
[Attribute= Value] 
to Editor 

In the current editor, insert a new condition in which the selected attribute 
matches the value in the selected event. 

Add Condition 
[Attribute!=Value] 
to Editor 

In the current editor, insert a new condition in which the selected attribute does 
not match the value in the selected event. 

Add Condition to 
Editor [List of 
Related 

Attributes=Value, 

!=Value] 

When the selected attribute is of a type that has related attributes, add a 
condition to the current editor using the available list of attribute-value pairs that 
do (or do not) equate. Generally, attributes are considered related if they share a 
common focus such as IP addresses. 


To remove a condition from the editor, right-click it and choose Delete. 

When you are using these options to affect a view that is subject to the editor in use, click Apply or OK 
in the editor to put the condition into effect. 

Contextual filters (in contrast to conditions) are temporary unless you save the modified view as a 
named active channel. Condition statements are saved with their relevant editors. 

Permanently Modifying an Active Channel 

1 . Use the Navigator panel's Active Channel resource tree to open the view's channel in the Active 
Channel Editor. 

2. Modify a view as described above. 

3. In the editor, give the channel a new name and click OK. 

Showing an Exploited Vulnerability 

The Investigate options include the ability to look for potentially exploitable vulnerabilities associated 
with an event. 

1. Select an event in a grid view. 

2. Right-click the event and choose lnvestigate>Show Exploited Vulnerability. Available 
information appears in the Vulnerabilities tab of the relevant Asset Editor. 

Showing a Targeted Asset 

You can also find out more about an asset targeted by an event. 

1. Select an event in a grid view. 

2. Right-click the event and choose lnvestigate>Show Targeted Asset. Available information 
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appears in the Asset Editor. 


Using Charts 

The Console offers several chart view options for active channels and for data monitors. You can add 
chart views of the data in many active channels or data monitors simply by choosing a chart type from 
the Format pop-up menu in the view's lower-right corner. 

ArcSight charts remain linked to the data they represent. You can immediately see a chart's events in a 
grid view that presents the data as charted, or filtered further using the options of the Investigate 
command. Charts use the same colorforall values in a series. For example, if you are plotting 
successful and failed logins in a chart, successful logins as a series will have one color. Failed logins 
as another series will have a different color. 

You can click and drag three-dimensional charts on their vertical or horizontal axes to tilt them for better 
viewing. 

Charting an Active Channel's Contents 

1. In the Navigator panel's Active Channels resource tree, right-click a channel and choose Show 
Active Channel. 

2 . In the Viewer panel, in the lower-right corner of the newly opened active channel, click the Viewer 
Selector icon to open its menu. 

3 . In the menu's Chart branch, choose one of the chart types described below. 

4. The data in the view opens in an additional chart presentation, in the chosen format, within the 
active channel. 

5. Click the Layout icon in the channel's lower-right corner to change the visual arrangement (tabbed 
or tiled) of the views within the channel , if needed. 

Charting a Data Monitor's Contents 

1. In the Navigator panel's Dashboards resource tree, double-click a dashboard or right-click it and 
choose Show Dashboard. 

2 . In the Viewer panel, in the lower-right corner of an applicable data monitor, click the Viewer 
Selector icon to open its menu. 

3 . In the chart menu, choose one of the types described below. 

4. The data in the monitor switches to a chart presentation. 

For data monitors, the Chart Showing Priorities submenu offers many of these same charting 
options, but with graphic elements such as pie wedges or bar segments that distinguish their priority- 
level components. 


HP ESM (6.9.1c) 


Page 226 of 1106 



ArcSight Console User's Guide 
Chapter 9: Monitoring Events 


Contents of charts are affected by the things that affect active channels or data monitors, such as 
changing time parameters or filters. Not all charts are applicable to, or available for, all views. 

For more about the format tools available for dashboards (®®[i=3S - ), see "Monitoring Dashboards" 
on page 238. 

For more about custom view dashboards, see "Using Custom View Dashboards" on page 264. 


For more about working with dashboards, see "Using Dashboards" on page 238. 


Chart 

Type 

Description 

Area 

A horizontal chart in which bands occupy various amounts of the displayed area to 
indicate relevant values. 

Area 

Radar 

A circular chart that shows proportional values as solid graphic extensions from a 
central zero point, outward to a higher-value border, and occupying relative numbers of 
degrees of the available circle. 

Horizontal 

Bar 

A horizontal chart that shows changes in relative quantities, usually by time units seen 
as solid rectangles, over a span of time. 

Line 

A horizontal chart that shows changes in relative quantities, usually by time units 
plotted on a line, over a span of time. 

Pie 

A circular chart with proportional wedges for the relevant values. 

Radar 

A circular chart that shows proportional values as a line plot from a central zero point, 
outward to a higher-value border, and occupying relative numbers of degrees of the 
available circle. 

Scatter 

Plot 

A horizontal chart that shows changes in relative quantities, usually by time units 
plotted as separate points, over a span of time. 

Stacking 

Area 

A horizontal chart in which stacked bands occupy various amounts of the displayed 
area to indicate relevant values. 

Stacking 

Bar 

A horizontal chart that shows changes in relative quantities, usually by time units seen 
as stacked solid rectangles, over a span of time. 

3D Bar 

A corner-anchored graph with height, width, and depth dimensions that can show three 
axes of categorical and quantitative information. 


Exploring the Events Behind a Chart 

To see a grid view of the events behind an active channel's chart, double-click the section of the 
graphic that represents those events. Tofilter those events further, right-click the relevant section of 
the chart and choose an Investigate command option. In charts that show color keys, such as Events 
by Priority, you can also double-click a color chip to open a grid view filtered by that key. 
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To see an active channel grid view of the events behind a data monitor's chart, double-click the section 
of the graphic that represents those events, or right-click and choose Show Details, or choose Show 
Detailed Channels to see a view for each of the chart's components. 


Using Active Channels 

The tasks in this topic explain how to monitor events in active channels. To better understand the 
details in grid views, please read more about event grid data fields. 

Monitoring Events in the Active Channel 

Click an active channel's tab at the top of the Viewer panel and select the Grid view of that channel 
using the tab at the bottom. When new events occur, they are displayed at the top of an active channel 
as a new row. Events can appear in ArcSight Severity or filter colors. You can set the color-code for 
events by using the steps described in "Setting Grid Options for the Viewer Panel" on page 83. 

Sorting Columns in the Active Channel 

Right-click on the column header and select Sort Column. Columns that support sorting have 

up/down triangles to the right of the column heading( T ). If the column contains numerals, it sorts from 
highest to lowest value (or vice versa). If the column contains words or alphabetic characters, it sorts 
alphabetically from A to Z (or vice versa). 

You can also perform an advanced sort on one or more columns in the active channel. When selecting 
a secondary sort column, select the secondary column first, then the primary column. For example, to 
sort by Event Name then by Detect Time, sort Detect Time first, then Event Name. 

After you sort a column it automatically pauses the current channel, stopping events from appearing in 
the active channel. Click the Play button in the Replay Controls to restart the channel and resume 
receiving events in the active channel. 

Note: When you sort on time and on priority, you might observe cases where events with the 
same apparent time are not in priority order. Because events are timestamped to milliseconds, 
they may in fact be in time order although the milliseconds are not showing. In this case, you can 
show milliseconds to validate time order. Choose Edit > Preferences, then in the Date and Time 
panel change the Date & Time Format to also show milliseconds by adding “SS” to the seconds 
parameter, for example, d MMM yyyy HH:mm:ss:SS z. 

Adding, Replacing, or Removing a Column 

A quick way to add, replace or remove columns in a active channel (for example, active channel or list) 
is to right-click on the appropriate column header and select one of the following options: 
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• Columns > Add/Remove Column > <Select a field from the menu> 

• Columns > Replace This Column > <Select a field from the menu> 

• Columns > Remove This Column 

These are context-dependent commands that apply to the column on which you launch the right-click 
menu. (To add a column, right-click on the header of the column you want to add the new column next 
to. Columns are added to the right of that header. To replace or remove a column, right-click on the 
header of the column you want to replace or remove.) 

Alternatively, you can use the Customize Columns dialog to define the columns shown in the viewer as 
described here: 

1 . Right-click the column header and select Columns > Customize Columns to bring up the 
associated dialog. (Note that fields shown in italics are derived fields.) 



The dialog is an example of what is displayed, based on the columns on the channel. 


Tip: Looking for information about custom columns? If you want to add a custom 
column, you need to create (define) it first. Once it’s created, it appears in the Available Fields 
list under Custom Column, and you can include it in active channels as with any other field. 
For information on creating custom columns, see Customizing Columns" on page 236. 


■ To add a column: Select data fields (column titles) to add from the Available Fields list on the 
left. Check marks indicate selected columns. The selected columns show up in the list on the 
right as you select them. Alternatively, when you deselect or uncheck a data field on the left, the 
column is removed from the right-hand list. 

■ To remove a column: Select a field from the right-hand list and click the Delete button * 
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. Also, deselecting a data field from the Available Fields list on the left removes it from the right- 
hand list. Removing a column from an active channel does not delete the column information 
from the database. 


Tip: You also can remove a column directly from the active channel without opening the 
Add/Remove Columns dialog. To do this, right-click a column header and select Remove 
Column. 


■ To re-order the columns: Select a data field (column title) in the right-hand list and click the Up 

^ and Down T y buttons to move it. The top-to-bottom order shown in the Show 
columns in this order list on the right translates to a left-to-right order when applied in the 
active channel. A column title at the top of this list will show as the first column in the channel on 
the far left in the grid display. A column title at the bottom of this list will show as the last column 
on the far right of the grid. 

2. Click OK to save changes you made on the Add/Remove Columns dialog. The active channel 
reflects added, replaced, removed, or re-sorted fields. 

Sizing a Column in the Active Channel 

Right-click a column header and select Size Column To Fit. 

Showing or Hiding Column Text and Icons 


Right-click a column header and select one of the following options: 


Option Display Result 

Text and Icon 

Display the column heading and its icon. 

Text Only 

Display only the column heading. 

Icon Only 

Display only the icon. 


Exporting Events to a File 

You can export a set of data fields into a comma separated values (CSV) file. 

3. In the channel, select one or more events. 

4. Right-click and choose Export > Events in Channel. 

5. On the Export Events file browser, navigate to the location where you want to save the CSV file, 
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then enter or select options for these fields: 


File Name 

Enter a file name for the CSV file. 

Note: The file name extension is not required; the csv extension is added 
automatically when the file is created. 

Files of 

Type 

Select Comma separated values (*.csv). 

Export Data 
Options 

For “Rows, you have two options: 

■ If you choose All in channel, all events in the channel will be exported to the 
CSV file. 

■ If you choose Selected rows only, only those rows highlighted for the right- 
click operation will be exported to the CSV file. 

The default for Columns is the Export field set. You can keep the default, or 
select other field sets from a list of All Field Sets. 

(For more information on creating, editing, and applying field sets, see Creating 
and Using Field Sets" on page 546.) 

For Destination, choose Local CSV File. 


6. Click OK. 


Tip: How to limit the export to fields visible in the channel: 

The default “Export” field includes a large number of columns. Unless you have a pressing need to 
export all these fields for channel events, you might want to modify the export. Exporting a large 
field set for a large event set could be time- and resource-consuming. 

If you want the exported file to include only the fields shown in the current channel, do either of 
these: 

. If the channel is unmodified from its default (you have not added or removed fields), you can 
select the channel’s default field set on the file export option. To find the default field set name, 
edit the channel and look at “Default Field Set” name or right-click any column header in the 
channel and choose Field Set > Selected Field Set. The default field set will be selected. (For 
example, for /All Active Channels/ArcSight System/Core/Live active channel, the 
default field set is Standard-MgrRcpt. Selecting this field set on the export will give you that 
set of columns in the CSV file.) 

• If you have modified the channel from its default (added or removed fields), you can save it as a 
custom field set and then choose your custom field set on the export dialog. To save a custom 
field set, right-click anywhere on the column headers in the active channel and choose Field 


HP ESM (6.9.1c) 


Page 231 of 1106 



ArcSight Console User's Guide 
Chapter 9: Monitoring Events 


Sets > Save As. On the Field Sets Selector, navigate to the group you want, name the new 
field set and click OK. Now it will be available to choose from on the export dialog. 

The Export field set itself is also customizable. If you are sure you always want exported events to 
include a limited set of fields, you can edit the Export field set. (See 'Creating and Using Field 
Sets" on page 546 and "Editing a Field Set" on page 552.) 

Choosing Active Channel Menu Commands 

Right-click an event or event field in the active channel to open a context menu. The commands 
available are those that apply to the current combination of event type, view, filter, and so forth. 

Active Channel Menu Commands 


Command 

Description 

Show 

Event 

Details 

Use the Event Inspector to examine all the attribute details associated with the event. 

Correlation 

Options 

• Simple chain: Show this event's base and correlated event tree in the Event 
Inspector. 

• Detailed chain: Show this event's base and correlated events in detail in a new 
active channel. 

• Show triggering resource: Show the rule that triggered this event in the Rule 
Editor. 

• Clear rule actions: Clears the list (if one is showing) of rule actions pending on the 
database. 

Investigate 

Create a temporary filter as required based on the field's highlighted event. The 
Investigate command uses the event's attribute type (its column heading), and the 
particular event's field value (for example, an exact IP address), to formulate simple 
filters based on these two factors. The filter's operators can include Create Filter [X = 

Y] and Add Condition [X = Y] to Editor. The Investigate submenu also offers the 
Show Exploited Vulnerability and Show Targeted Asset commands to open 
detailed views of assets or vulnerabilities, if present in the selected event. 

Debug 

Filter 

Evaluate if the selected event passes the filter resource selected from the filter 
resource popup. 
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Active Channel Menu Commands, continued 


Command 

Description 

Debug 

Event 

Priority 

Display information on how event priorities are determined for the selected event. The 
window lists which conditions match the event. Items undereach category: Severity, 
Relevance, Model Confidence, and Asset Criticality, and the total scores. For each 
category, certain factors contribute their individual scores. The scores are added to 
calculate the total. However, if the sum exceeds the upper limit of 10, 10 is displayed 
fo the category’s total score. Lower limit is 0. 

Debug Event Priority is applicable to Threat Level Monitoring, described in "Threat 
Evaluation" on page 1060 and also "Priority Calculations and Ratings" on page 1010. 

Active List 

Add the selected event to, or remove it from an active list. This is explained further in 
"Active Lists" on page 787 and "List Authoring" on page 469. 

Annotate 

Event 

Open this event in the Annotate Events dialog box, where you can click the Stage field 
to set a collaboration workflow sequence for this event. When you select a stage you 
automatically place the event in the corresponding group in the Stages resource tree in 
the Navigator panel, where you and other analysts can collaborate on its investigation 
and resolution. 

Mark as 

Reviewed 

Set the event's annotation flag to IsReviewed. See "Event Annotation Group" on 
page 920, specially the Flags label, for a list of event annotation fields. 

Event 

Graph 

Graph any logical relationships (that is, source/target IP address connections) that 
exist among the currently selected events. 

Rule Chain 
Graph 

Graph the rule chains behind the currently selected triggered events. 

Geographic 

View 

Geographically map the source and destination IP addresses of the selected events. 

Integration 

Commands 

Link to other ArcSight applications and tools. For more information, see "Integration 
Commands " on page 623. 

Tools 

Displays the Tools command menus (also available from the menu, Tools > Local 
Commands. See "Using the Network Tools" on page 53 and "Using the Tools Menu" 
on page 61. 

Export 

Export the selected events to an external event-tracking system, such as comma- 
separated-value (CSV) data in a report or for a spreadsheet, or save it as an HTML or a 
JPEG file. 

Add to 

Case 

Add the selected events to a new case for tracking. 

Payload 

Keep or discard the payload associated with a selected event. Disabled if the selected 
event has no associated payload. 
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Active Channel Menu Commands, continued 


Command 

Description 

Report 

Includes two options: 

• Event Context Report: Output a report concerning rules and events within a 
specified time window. 

• Channel Report: Output a report of all events in the channel. 

See "Running Reports from a Grid View" on page 454 for additional details. 

Close 

Close the current individual view within the selected view type. 

Knowledge 

If defined, show the Knowledge Base pages associated with the selected events, or 

Base 

associate new pages. 

Reference 

Pages 

If defined, displays the reference pages for this event. 

Vendor 

Page 

If available, show vendor Web page of the event's sensing device. 

Help 

Open the online Help to this topic. 


Filtering Active Channels with Inline Filters 

Active channels have a means for creating simple filters based on using a value found in one column, or 
creating AND conditions between values found in two or more columns. 

These filters are called inline filters, a very rapid way to constrain detailed views. While inline filters are 
in use, they affect all views generated for the channel. 

You can create, change, save, hide, and remove inline filters from the active channel. Also, you can 
create and manage multiple inline filters from this view. 

• To create an inline filter, click the Inline Filter link in the event header or click the Edit Inline Filter 

button at the top right of the active channel to display the inline filtering fields. Enter a value by 
which you want to filter for one or more fields relating to a column in the grid. Click Apply to apply 
the filter immediately to the view. The inline filter is displayed in the header under the standard filter. 

• To change an inline filter, click the Edit Inline Filter button again, and choose new values, and 
apply. The Clear button clears the inline filter fields, and Cancel closes the inline filtering window 
without saving current changes. 

• To remove an inline filter, right-click over the Inline Filter name in the headerforthe selected event 
and choose Remove Inline Filter. 

• To save an inline filter, right-click over the Inline Filter name in the headerforthe selected event and 
choose Save Inline Filter. This opens a Filters Selector dialog that shows the Filters tree. 
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Navigate to the folder where you want to save the current filter, and click OK. 

• To highlight the filtered events, click the Highlight check box (on is check marked) and use the 
drop-down color selector to select a color from the palette. 

• To create and manage multiple inline filters, click the + button next to the Highlight options under the 
inline filters to add filter definition rows. (Click the - button to remove filter rows.) The potential uses 
of multiple inline filters are extensive, but essentially this provides a means of creating a filter with 
complex conditions, inline in an active channel. For example, in the Name column for an event, you 
could specify that the event name contains ActiveList on the first filter row and that the name 
does not contain Successful. You could extend this filter by specifying what you are looking for in 
some of the other fields or even add more qualifiers on the Name field. All fields can be narrowed 
down in this way, using multiple filter definition rows. 


To add an Inline filter, click the Edit Inline Filter button to the right of the viewei 
above the event gird. 



Clicking the Edit Inline Filter button opens an inline filtering window. Type a value in one or more fields 
to further filter the event stream. In this example, we add an Inline filter on the Priority field to specify 
showing only events of Priority 3. Click Apply to apply the inline filter, i 


Also, you can dick the + button to add filter definition rows and create multiple inline filters. Click the - 
button to remove rows. 
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Once the inline filter is applied, only events that match current filter and the inline filter are shown. The 
inline filter used is displayed in the header under the original filter. 


Note: Custom columns are not available as arguments for inline filtering. 


Customizing Columns 

You can create active channel columns with customized cell content and presentation formats, tool tip 
contents, and right-click pop-up values. 

You make these changes through the Custom Columns Editor. In the Editor you create new named 
columns. For each column you select event data fields to display, and if you wish, the HTML formatting 
to use in its cells. The tool tip option specifies the formatting and content of the tool tips you see when 
you hover the pointer over cells in that column. The right-click field option sets the event data field to 
use in columns where there are right-click commands that use field names as arguments such as 
“Investigate....” 

Creating a Custom Column 

1 . Right-click a column header in an active channel and choose Columns > Edit Custom 
Columns. 

2. In the Custom Columns Editor, click Add and name your new column, for example, call it ABC 
Vendor. If you want all Console users to see the new column (not just administrators), select the 

Share with all check box. 

Tip: You can also toggle this option on or off later from the Cell Format tab. 

Click OK. 

3. With the new column selected, click Field Selector and choose the event attributes you want to 
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display in this column. For example, for ABC Vendor, choose Name and click OK. 



The format field is automatically populated with the variable value in Velocity Template format. If 
appropriate, apply Java-compatible HTML formatting around the field strings. Remember to 
bracket such formatting with the HTML tag, such as <HTML><B>$type</Bx/HTML>. 

4. Click Preview to see how the contents of the Format box will look in the active channel. 

5 . Click the ToolTip Format tab to define a tool tip. 

6. Choose a target event attribute in the Right-Click Field menu to populate variable right-click 
commands, when applicable. 

7. Click Rename or Remove to change or take away selected items in the Custom Columns list. 

8. Click Apply to put your changes into effect and Close to close the Custom Columns Editor. 

You can edit custom columns after they are created, including toggling on/off the “Share with all” 
settings for a column, renaming it, changing its Field Selector mappings, and so forth. 

Note: Custom columns are not available as arguments for inline filtering. 

Showing a Custom Column 

A new custom column is immediately available for use in the Console. Right-click the column header in 
an active channel and choose Customize Columns > Add Column to add the new column to the 
active channel. Custom columns show up in the Available Fields list under Custom Column. If a column 
is configured as Share with all, it is available to all administrators. If not, it is available only to the 
user who created it. For more information, see "Adding, Replacing, or Removing a Column" on 
page 228. 

Advanced Example: Creating a Custom Column with Velocity 
Template 

Custom columns can display different contents based on external conditions. Use the Velocity 
template language to specify these conditions. 
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To create a custom column that displays a particular image when an event's target is in a specific 
Zone, create the custom column as described previously, but specify Velocity template-language script 
in place of the HTML format. 

The code in the Format text box might look like this: 

<HTML> 

#if (($targetZoneUri.length()>0) && 

(JtargetZoneUri . startsWith( "/All Zones/ 

System Zones/Public Address Space Zones/ 

Ford Motor Company"))) 

<IMG src="file:///c:/fordlogo.gif" /> 

#end 

</HTML> 


Using Dashboards 

Dashboards are a graphical display of data gathered from one or more: 

• "Data Monitors" on page 946 
. "Query Viewers" on page 323 

Dashboards can display data in a number of graphical formats, including pie and barcharts, tables, and 
custom layouts. 

Administrators can control visibility of, or access to, dashboards, query viewers, and data monitors by 
changing access control lists (ACLs) as needed. For more information on general use of ACLs on any 
resource, see "Managing Permissions" on page 189. 

With ACLs, administrators can also control which users are allowed to deploy (enable) or un-deploy 
(disable) a data monitor. 


Monitoring Dashboards 

You can organize and present events displayed by data monitors and query viewers on the dashboard. 
Basic tasks include loading and displaying dashboards; inspecting events; using zoom, slide show, or 
manipulating the views in various ways; working with dashboard layouts; saving dashboards, and so 
on. 

Loading Dashboards 

1 . Choose Views > Show Dashboard to open the Load Dashboard dialog box. 

2. Expand the dashboard groups to locate the dashboards you want to include in your display. 
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3. Select the checkboxes next to the dashboards you want to include. 

4. Click OK. 


Inspecting Events in Dashboards 

You can investigate the events presented on the dashboard by selecting and right-clicking those events 
and choosing Show Event Details for Last N Events data monitors or Show details for other types of 
data monitors. 


• If you select events from a Last N Events data monitor, the details appear in the Event Inspector. 

• If you select events from any other data monitor or query viewer, a new view opens in the Viewer 
panel for you to investigate. 


You can drill down on grid, graph, or chart views. 


Tip: By default on a data monitor, the displayed channel uses the same columns as the default 
Standard Field Set (as defined in the console .default . properties file in the ArcSight Console 
installation). 

If a custom field set is defined for the data monitor Select Field Set option, the drill-down 
channel will use that field set. (See 'Data Monitors" on page 946 for information on creating data 
monitors and defining settings for them.) 

You can add or remove columns in the active channel. To do so, right-click on the active channel 
column headers to get the Customize Columns option. 


For example, to investigate a data monitor pie chart display, either double-click the chart, or right-click 
and select Investigate > Create Channel and choose a create channel option (the menu option for a 
pie chart display of a query viewer may slightly vary with an additional menu level). 
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An active channel is displayed showing more detail about the events or resources in the original data 
monitor or query viewer display. If the channel came from a data monitor, the channel uses the field set 
columns defined for use in the data monitor Select Field Set option. If no field set is defined, the 
data monitor uses standard field set columns. 
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Drilling Down to Other Resources 

If your dashboard contains data monitors and query viewers that have drilldowns, you can view these 
drilldowns by right-clicking the particular dashboard element (data monitor or query viewer) and 
selecting Drilldown > [drilldown name] from the context menu. The Console then displays the 
selected element's edit panel at the Drilldowns tab. 

If the selected dashboard element does not have a drilldown, you are presented with the option to 
create one for that element. See "Adding a Drilldown" on page 250. 

Displaying Dashboards 

In the Navigator panel's Dashboards resource tree, right-click a dashboard and choose Show 
Dashboard. 

Displaying Dashboards in a Slide Show Rotation 

To automatically sequentially display all the dashboards present in the Viewer panel, choose Views > 
Slideshow > Interval in the Console's menu. Use Interval to set the number of seconds to pause on 
each dashboard, then choose Views > Slideshow > Start, or use the toolbar button il, to begin the 
slide show. Slide shows appear full-window. Also, Tile Best Fit is the best display choice in slideshow 
dashboards so all data monitors are visible. Use Views > Slideshow > Stop, orthe toolbar button, to 
end a slideshow and return to the previous view. 

Rearranging Elements in Dashboard Layouts 

You can change a dashboard's layout by dragging and dropping the elements on the desired location in 
the dashboard. You can also click an element’s header and drag it to another location. 
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Using Dashboard Menu Options 

Right-click an element in a dashboard to use the Dashboard subcommands on its context menu. The 
nature of the element (data from a data monitor or query viewer) determines which commands are 
applicable and enabled. 

See "Dashboard Context Menu Commands" on page 884 for descriptions of options. 

Zooming In or Out of Dashboards 

Right-click an element and choose Dashboard>Zoom In or Dashboard>Zoom Out. 

Fitting all Dashboard Elements 

Right-click a dashboard element and choose Dashboard>Fit in Dashboard. 

Saving Dashboard Layouts 

In a dashboard, right-click and select Save Dashboard. 

Closing a Dashboard 

In a dashboard, right-click and select Close Dashboard. 

Editing Dashboard Elements 

Right-click in the element and choose <Dashboard element>Edit. 

See also: 

• " Editing a Data Monitor" on page 250 and "Moving or Copying a Data Monitor" on page 257 

• "Creating or Editing a Query Viewer" on page 326 

Changing a Dashboard's Layout 

Click the Layout button at the lower-right corner of the dashboard in the Viewer panel and choose a tab 
or tile option. 


Managing Dashboards 

This topic describes how to create dashboards and adding elements to it. Elements include data 
monitors and query viewers. 
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Creating or Editing a Dashboard 

When you create a dashboard, the ability to add data monitors is automatically available. 

Where: Navigator > Resources > Dashboards 

1 . Right-click a dashboard group and choose New Dashboard. Alternatively, drag an existing 
dashboard to a different group, choose Copy to copy the dashboard, and then rename it. 

Or right-click an existing dashboard and choose Edit Dashboard. 

If you chose New Dashboard, an untitled dashboard appears in the Viewer panel and the Data 
Monitors tab automatically comes forward so you can choose monitors to add. 

2. If you want to add data monitors now: 

a. On the Data Monitors tab and navigate through the groups of existing data monitors to find 
ones you want to add to the dashboard. 

b. Select a data monitor to add, right-click it and choose Add to Dashboard As, then choose an 
applicable display format (see Display Formats" on the next page). 

c. Repeat the above step to add other data monitors, as needed. When you've finished, right-click 
the dashboard in the Viewer panel and choose Save Dashboard. 

3. If you want to add query viewers, see "Adding a Query Viewer to a Dashboard" on the next page. 

4. In the Save As dialog box, navigate to a group and type in the Name text field. 

5. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

6. Click OK. 

Adding a Data Monitor to a Dashboard 

1 . Right-click a dashboard and choose Show Dashboard. 

2. On the Data Monitors tab, navigate through the groups of existing data monitors to find ones you 
want to add to the dashboard. 

3. Right-click a data monitor and choose Add to Dashboard As, then choose an applicable display 
format (see Display Formats" on the next page). 

4. To save the dashboard, right-click it and choose Save Dashboard. If this is a new dashboard, 
navigate to the group where you want to save the dashboard, enter a name for the new dashboard, 
and click OK. 
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Adding a Query Viewer to a Dashboard 

You can add a query viewer result to a dashboard as follows: 

1 . If you have identified an existing dashboard to which you want to add the query viewer, open the 
dashboard in the viewer and make sure it is the focus. If you want to add the query viewer to a new 
dashboard, continue to the next step. 

2. Choose Query Viewers in the Navigator. 

3. Select a query viewer, right-click and choose Add to Dashboard As >, then choose an 
applicable display format (see "Display Formats" below). 

The query viewer result is displayed on the open dashboard. If a dashboard is not displayed, a new 
untitled dashboard is created for the query viewer result. 

4. Save the existing dashboard. 

Or if this is a new dashboard: 

a. Right-click the title bar of the dashboard and choose Save Dashboard As. 

b. In the popup dialog, navigate to the group where you want to save the dashboard, enter a name 
for the dashboard, and click OK. 

By default, this new dashboard is a regular dashboard. If you want to change it to a custom 
view dashboard, see "Using Custom View Dashboards" on page 264. 

You can add multiple query viewer results sets along with other resources to a single dashboard. 

Display Formats 


The display options available depend on the nature of the dashboard element. 

Display Options for Dashboards 


Display 

Format 

Description 

BarChart 

Shows data as a series of proportional bar elements and may include bar segmentation 


to subdivide the data. 


Applies to data monitors and query viewers. 

BarChart 

A grid of proportional bar elements. 

Table 

Applies to data monitors. 
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Display Options for Dashboards, continued 


Display 

Format 

Description 

Horizontal 

BarChart 

Shows data as a series of proportional bar elements and may include bar segmentation 
to subdivide the data. This format forces the bars to run left-to-right rather than up-and- 
down. 

Applies to data monitors and query viewers. 

Pie Chart 

Shows data as a circle with proportional wedges for elements. 

Applies to data monitors and query viewers. 

Statistics 

Chart 

Displays Moving Average data monitors, especially those that contain and need to 
arrange (overlay) multiple graphs in one monitor space. Compare Statistics Chart to 

Tile, which arranges individual-graph monitors into fixed arrays. 

Applies to data monitors. 

Table 

Displays data as a grid. 

Applies to data monitors and query viewers. 

3D Bar 

Chart 

Shows data as a series of proportional bar elements and may include bar segmentation 
to subdivide the data. The graph also has a third axis (depth) to display more data and 
can be rotated by dragging. 

Applies to data monitors. 

Stacked 

BarChart 

Shows data as a series of proportional bar elements and may include bar segmentation 
to subdivide the data. 

Applies to query viewers. 

Tile 

Arranges individual Moving Average data graphs into separate, fixed positions on a data 
monitor, when multiple graphs are present. Compare Tile to Statistics Chart, which 
displays multiple graphs (overlaid) in the same monitor space. 

Applies to data monitors. 


Deleting a Dashboard 

1. In the Dashboards tab of the Dashboards resource tree, right-click the dashboard's name and 
choose Delete Dashboard. 

2. In the dialog box, click Yes. 

Managing Dashboard Groups 

The groups in the Dashboard tab of the Navigator panel's Dashboard resource tree store individual 
dashboards or other dashboard groups. You use groups within groups to help organize larger numbers 
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of resources. 

You can manage groups by drag-and-drop. You can move or copy dashboards or groups within the 
Dashboards resource tree. And deleting a group also deletes the resources it contained. 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 

Where: Navigator > Resources > Dashboards > Dashboards tab 

To create a dashboard group: 

1 . Right-click a group and choose New Group. 

2. Enter a name in the group's text field. 

3. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

4. Press Enter. 

To rename a dashboard group: 

1 . Right-click a group and choose Rename. 

2. Enter a name in the group's text field. 

3. Press Enter. 

To edit a dashboard group: 

1 . Right-click a group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text fields. 

3. Click OK. 

To move or copy a dashboard group: 

1. Navigate to a group and drag it into another group. 

2. Choose Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you select Copy, you create a separate copy of the group that will not be affected when the original 
group is edited. If you select Link, you create a copy of the group that is linked to the original group. 
Therefore, if you edit a linked group, whether it be the original or the copy, all links are edited as well. 
When deleting linked groups, you can either delete the selected group or all linked groups. 
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To delete a dashboard group: 

1 . Right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 


Using Data Monitors 

You populate dashboards with data monitors, which you most often select from the Data Monitors 
resource tree in the Navigator panel (under Dashboards). HP provides pre-defined data monitors. 
However, you can create, edit, and delete your own data monitors. 

Administrators can limit visibility of, or control access to, data monitors by changing access control 
lists (ACLs) as needed. For more information on general use of ACLs on any resource, see Managing 
Permissions" on page 189. 

With ACLs, administrators can also control which users are allowed to deploy (enable) or un-deploy 
(disable) a data monitor. 

Related topics: 

• "Creating a Data Monitor" below 

• "Adding a Drilldown" on page 250 

• "Enabling or Disabling a Data Monitor" on page 257 

• "Optimizing the Evaluation of Event Filters for Data Monitors" on page 261 


Creating a Data Monitor 

1. In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click a data 
monitor group and choose New Data Monitor. 

2. In the Data Monitor Editor, select a Data Monitor Type from the drop-down menu. 


Data Monitor Types 


Data Monitor 
Type 

Description 

"Asset 

Category 

Count Data 
Monitor" on 
page 947 

Enumerate the number of real-time hits (events) that occur per asset category, 
by priority, within a time interval. 
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Data Monitor Types, continued 


Data Monitor 
Type 

Description 

"Event 

Correlation 

Data Monitor" 
on page 948 

Provide flow-volume level correlation between two different event streams 
(based on two different specified filters). 

"Event Graph 
Data Monitor" 
on page 950 

Draw real-time diagrams of selected event activity. Automates the graphing of 
attacks in real-time. The manual operations are described in "Graphing 

Attacks" on page 270. 

"Event 

Reconciliation 

Data Monitor" 
on page 951 

Correlate events arriving from one sensor with events arriving from another 
sensor. When qualifying events occur on either or both sensors, this data 
monitor issues a new event to signal it. Useful in helping to determine the 
effectiveness of a firewall or IDS deployed in your environment. 

"Geographic 
Event Graph 
Data Monitor" 
on page 955 

Draw a real-time geographic map of selected events. In effect, it does 
automatically and in real-time what you can do manually, as described in 

"Graphing Attacks" on page 270. 

"Hierarchy 

Map Data 
Monitor" on 
page 956 

Draw an image made up of proportionally sized panels where each panel 
represents a group of events selected by group fields selected in the source 
node identifier. A source-node criteria could be a combination of fields. 

The Hierarchy Map data monitor includes several enhancements, as described 
in "Features" on page 956 in "Hierarchy Map Data Monitor" on page 956. 

"Hourly 

Counts Data 

Monitor" on 
page 965 

Display the total count of events on an hourly basis along with their Priority. 

"Last N 

Events Data 

Monitor" on 
page 966 

Order events based on a specified configuration. In the Table Viewer, the 
monitor displays the most recent events by Priority, Event Name, Protocol, 
and Category. With the BarChartTable configuration, the order is by Priority 
and Event Name. The PieChart configuration is ordered by Priority. 

"Last State 

Data Monitor" 
on page 967 

Provide an extra level of abstraction that you can use to simplify the 
information presented to operators. Sometimes called indicator lights or heads- 
up displays, these monitors show graphics that translate more complex values 
into simple, rapidly observable results such as green/amber/red signal lights or 
checkmark/asterisk/exclamation point symbols. Last State data monitors 
could also be called most recently known state monitors. 
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Data Monitor Types, continued 


Data Monitor 
Type 

Description 

"Moving 
Average Data 
Monitor" on 
page 974 

Display the moving average of events by a selected data field. The display 
provides a running count of events within a specified time frame and generates 
an event when the moving average changes significantly. 

"Rules Partial 

Match Data 

Monitor" on 
page 977 

Display rules that have partial matches and the total number of partial match 
events within a specified time frame. For more information on partial matches, 

see "Managing Rule Actions" on page 51 5. 

"Session 

Reconciliation 

Data Monitor" 
on page 978 

Correlate events on the basis of their occurrence within a relevant time period, 
as established by a session event. 

"Statistics 

Data Monitor" 
on page 980 

Provide a broader generalization of Moving Average data monitor functionality, 
except that it allows selection of other statistical methods in addition to Moving 
Average. Statistical methods include Average, Moving Average, Standard 
Deviation, Skew and Kurtosis, as well as Moving Average. These added 
capabilities could be used to detect anomalous behavior that could not be 
detected using moving average alone. 

"System 
Monitor Data 

Monitor" on 
page 983 

Provide measurements based on ArcSight Manager internal monitoring system 
Java classes and attributes. 

A number of system monitors that might be particularly useful to ArcSight 
administrators are provided as predefined System Data Monitors that you can 
include in your dashboard displays to monitor system performance. 

"System 

Monitor 

Attribute Data 

Monitor" on 
page 983 

Similar to System Monitor, except that, rather than provide measurements for 
all attributes of a specified Java class, focus on a single specific attribute of a 
given ArcSight Java class. Used primarily for measurements on attributes that 
provide complex data structures. 

"Top Value 
Counts Data 

Monitor" on 
page 984 

Display top events by selected data field, the total number of events, and the 
event Severity within the total number of events with the Table and 
BarChartTable viewer configurations. 


3. Based on the data monitor type you have selected, specify values and options in the applicable 
fields to define the data monitor's data collection. Details on fields and appropriate values are 
given in the information about each data monitor type. 
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Note: Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data monitor. For 
more information, see "Enabling or Disabling a Data Monitor" on page 257. 


4. If the data monitor uses data fields for evaluation, use the Variables tab to create a new 
specialized field, if necessary. 

The following data monitors support variables: 

■ Event graph 

■ Hierarchy Map 

■ Last N Events 

■ Last State 

■ Moving Average 

■ Statistics 

■ Top Value Counts (bucketized) 

If you select a data monitor that does not support variables, the Variables tab is disabled. 

You can also add a global variable anywhere fields can be added. For instructions about how to add 
a global variable to a data monitor, see "Adding a Global Variable to a Data Monitor" on page 564. 

5. If the Data Monitor type supports drill downs, you can use the Drilldown tab to configure it. The 
following types of Data Monitors support drilldowns: Event Graph, Hierarchy Map, Last N Events, 
Last State, Moving Average, Statistics, and Top Value Counts (Bucketized). 

In the ArcSight Console you can create drill downs to Dashboards, Active Channels, Reports, and 
Query Viewers. 

In a Custom View Dashboard and on the ArcSight Command Center, only drill downs to 
dashboards are supported. 

6. Click OK. 

To add the new monitor to the current dashboard, right-click it and choose Add to Dashboard As. 
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Editing a Data Monitor 

1 . Do either of the following to bring up the Data Monitor editor: 

■ In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click a data 
monitor and choose Edit Data Monitor. 

■ If a Dashboard containing a given Data Monitor is already displayed, hover the cursor over that 
Data Monitor in the Viewer panel, right-click, and choose Data Monitor > Edit. 

2 . In the Data Monitor Editor, edit the applicable fields. 

3. Click OK to save your changes and close the Data Monitor Editor. Or click Apply to save the 
changes and leave the editor open. 

See "Creating a Data Monitor" on page 246 and "Data Monitors" on page 946 for field details on all data 
monitors. 

For customize view options on Last State data monitors, see the "Last State Data Monitor" on 
page 967 topic. 


Adding a Drilldown 

You can configure query viewers and data monitors to drill down to one or a combination of the following 
resources: 

• Active channels 

• Dashboards 

• Query viewers 

• Reports 

Each drilldown type has its own options. After you have added one or more drilldowns, Console users 
can select one by right-clicking on the result and selecting Drilldown > [drilldown name] from the 
context menu. 

You can create drilldowns from these types of data monitors: 

• Event graph 

• Hierarchy map 

• Last N Events 

• Last State 
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• Moving Average 

• Statistics 

• Top Value Counts 

You cannot drill down to resources from the following data monitors: 

• Asset Category Count 

• Event reconciliation 

• Event Correlation 

• Geographic Event Graph 

• Hourly Counts 

• Rules Partial Match 

• Session Reconciliation 

• System Monitor 

• System Monitor Attribute 

The drilldowns are initially displayed for selection in the order they were created. The first drilldown is 
automatically the default drilldown of choice. 


To add a drilldown from the data monitor: 


1 . Access the Drilldowns tab in one of two ways: 

■ Right-click on the query viewer or data monitor results in a dashboard and select 

Drilldowns/Edit Drilldowns to open the editor to the Drilldowns tab. 

Or 


■ Right-click on a query viewer or data monitor in the Navigator panel and select the Edit option, 
then select the Drilldowns tab. 


2 . 


Click Add (! 


Add... - 


to open the Add Drilldown panel. 


3. In the Destination field, choose a resource type, for example, dashboards. 
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£ Add Drilldown 




Select a Dashboard ▼ 

(jj[| Dashboards ▼ 

Pick where this drilldown goes to. You can pick from a var 

|T] Active Channels 



|g| Query Viewers 
[•j^ Reports 

Give your dridown a descriptive name. 


Then choose the corresponding specific resource, for example, My_Dashboard. 

4. Enter a menu label (defaults to the specific resource’s name). This label will represent this 
drilldown when the user right-clicks and selects Drilldowns on the Viewer panel. 

5. Enter an optional description containing useful information about the drilldown. 

6. Set the remaining options based on your destination resource: 


Options for the Drilldown's Resource Destinations 


If resource 
type is ... 

Follow these steps ... 

Active 

Channels 

For an active channel destination, the settings in the Channel Display Options 
tab are not required; you may click Finish. If you want to set display options: 

a. Select a field set from the drop-down list and click OK. 

b. Change the Sort By field from the drop-down list and the sort order. 

c. Click Finish. 

Dashboards 

Click Finish. You are done. 
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Options for the Drilldown's Resource Destinations, continued 


If resource 

type is ... Follow these steps ... 

Query For a query viewer destination, field mapping is required: 

Viewers 

a. On the Field Mapping tab, click Add to display a dropdown list of source 
fields. You must define at least one field map. 

The source fields are from the source query viewer (the one you are drilling 
down from). The mapping condition is always set to =. 

b. Under the Destination Field column, select a field from the destination 
query viewer (the one you are drilling down to). 



The Drilldown definition shown in the example maps the source query 
viewer/data monitor “Name” column to the target query viewer/data monitor 
“Name” column. This constructs the following drilldown filter: 

<target>. Name = <source>. Name 

where <source >. Name is replaced by the actual value from the source 
query viewer/data monitor row. 

If there are no eligible field mappings, you cannot complete the drilldown 
definition; the Finish button is disabled. You can add or remove field 
mappings, but your choices are limited to the columns already provided in 
the query viewer. 

c. On the Display tab, you can choose to show (check) or hide (uncheck) the 
data fields in the drilldown result. 


d. On the Sort tab, you can click Add to select the columns to specify the sort 
order of the resulting values. For each added column, change the sort order 
to ascending (the default) or descending. 

e. Click Finish. 
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Options for the Drilldown's Resource Destinations, continued 


If resource 

type is ... Follow these steps ... 


Reports 


Fora report destination, the settings in the Report Display Options tab are not 
required. To use the parameters set for the report, click Finish. If you want to 
change the drilldown’s display options: 


a. Click Add to display a list of the destination report’s custom parameters, 
then select a parameter. 

b. Under the Value column, select the field whose value will be used for the 
parameter. 



c. Click Finish. 


7. Repeat the process to add multiple drilldowns as required. 

Tips on drilldown definitions: 

• If there is only one drilldown, this is the default drilldown for that resource. If there are multiple 
drilldowns, the first drilldown is the default. You can change the order on the Drilldowns tab. 

• When you run the query viewer results or view a data monitor, right-click, and select Drilldown, the 
selection list displays the list of drilldowns defined for that resource. The default drilldown is at the 
top of the list, and the remaining drilldowns are displayed in the sequence as they appear on the 
data monitor or query viewer's Drilldowns tab. 

• You can define drilldowns for multiple fields of different data types. For example, you can define a 
drilldown to return a combination of event name and IP address. The first step would be to define a 
base query viewer to return these fields in a result, and then, as a next step, add a drilldown and 
select that query viewer to use as the “Drill down to” query viewer. 

• You cannot define drilldowns to go to fields that are SQL functions. 
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Example of drilldowns added to a query viewer 


Inspect/Edit 




Editing a Drilldown 

To edit a drilldown: 

1 . Open the editor for the query viewer or data monitor you want to edit. 

2. Click the Drilldowns tab. 

3. Select the drilldown you want to edit and click Edit * >Edlt: "'. 

The drilldown dialog for this drilldown is displayed. Change the fields and options as described in 

"Adding a Drilldown" on page 342. 


Note: You can also edit the drill down from the query viewer or data monitor results. Right- 
click and select Drilldown > Edit Drilldowns. Selecting this command opens the editorfor 
the query viewer or data monitor at the Drilldowns tab. 


Changing the Default Drilldown 

When you run the query viewer results or view a data monitor, right-click, and select Drilldown, the 
selection list displays the list of drilldowns defined for that resource. The default drilldown is at the top 
of the list, and the remaining drilldowns are displayed in the sequence as they appear on the Drilldowns 
tab. This default position is not affected by any sorting of drilldowns. 

To change the default drilldown: 

1 . Open the editor for the data monitor or query viewer you want to edit. 

2. On the Drilldowns tab under the Default column, click the button corresponding to the drilldown 
you want as the default and save. 
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The default drilldown will appear at the top of the selection list the next time you right-click on the query 
viewer results or data monitor and select Drilldown. 


Sorting or Changing the Order of Drilldowns 

If you create multiple drilldowns to different resource types, the Drilldowns tab displays the drilldowns 
in the sequence they were created. This initial sort order affects the selection list if you right-click the 
data monitor or query viewer results on the Viewer panel and select Drilldowns. 

You can re-order the drilldowns in two ways: 

• Sorting the drilldowns 

• Moving specific drilldowns up or down the list 

To change the sort order: 

1 . Open the editor for the data monitor or query viewer you want to edit. 

2. Click the Drilldowns tab and click Sort (^) on the toolbar. 

Multiple drilldowns on the Drilldowns tab are sorted in two ways, as follows: 

■ First, the drilldowns are sorted alphabetically according to resource type: active channels, 
dashboards, query viewers, and reports. 

■ Next, within the resource type, drilldowns are again sorted alphabetically by their menu labels. 
After you click the Sort button, clicking it again will not change the sort order. 

Note: Even if the default drilldown moves after sorting on the Drilldowns tab, the default will 
still be at the top of the selection list when you right-click on the data monitor or query 
viewer results and select Drilldowns. If you want to change the default itself, follow 
instructions in "Changing the Default Drilldown" on page 346. 

To move a drilldown’s position on the list: 

1 . Open the editor for the data monitor or query viewer you want to edit. 

2. Click the Drilldowns tab and select a drilldown. Do not click under the Default column if you are 
not changing the default drilldown. 

3. On the toolbar, click the up - or down [ Z. arrow buttons to move the drilldown up or down the 
list. 
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Removing a Drilldown 

You can remove any drilldown, including the default drilldown, one at a time. If you delete the default 
and you have multiple drilldowns, the next drilldown on the list becomes the default. 

To remove a drilldown: 

1 . Open the editor for the data monitor or query viewer you want to edit. 

2. Click the Drilldowns tab. 

3. Select the drilldown you want to remove and click Remove ( * Remove ). 

4. Repeat as required. 


Moving or Copying a Data Monitor 

You can move or copy a data monitor as you would any other resource (as described in "Moving, 
Copying, Linking, and Deleting Resources" on page 670). 

Note: Regarding data monitors and user permissions 

• Users who do not have data monitor deployment permissions can still copy enabled data 
monitors, but the copies are disabled. Users need both write and deploy permissions to enable 
or disable a data monitor. 

• Users who do not have data monitor deployment permissions can still move data monitors from 
one group to another if they have write permissions on the data monitors they want to move and 
the destination group for the move operation. 

For more about data monitor deployment permissions, see 'Controlling Who Has Permissions to 

Deploy Data Monitors" on page 200. 


Deleting a Data Monitor 

1. In the Data Monitors tab of the Navigator panel's Dashboards resource tree, right-click a data 
monitor and choose Delete Data Monitor. 

2. In the dialog box, click Yes. 


Enabling or Disabling a Data Monitor 

When a data monitor is enabled ( deployed) it is actively processing events and updating its display. 
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When you disable (un-deploy) a data monitor, it stops processing events and updating its display. You 
might choose to disable a data monitor because it is not needed or should not be considered under 
certain circumstances. 

Data monitors can be enabled at time of creation (see "Creating a Data Monitor" on page 246) or edited 
later to enable deployment. 

Note: Data monitor deployment is controlled through User Access Control Lists (ACLs). 
Administrators can allow or block users for data monitor deployment permissions. 

Depending on the permissions associated with the user group to which you belong, you may or 
may not have an option to Enable ( deploy ) or Disable (un-deploy) the data monitor. 

• Administrators (all users belonging to the Administrators group) have permissions to deploy/un- 
deploy data monitors. 

. To deploy a data monitor, a user needs both general data monitor deployment permissions and 
write permissions to the specific data monitor he or she wants to deploy. Users with 
permissions to deploy data monitors can deploy only those data monitors for which they have 
write permissions. 

. Administrators can grant permissions to deploy or restrict data monitors to other non- 

Administrator users through the Access Control Lists (ACLs) editor. For more information, see 

"Controlling Who Has Permissions to Deploy Data Monitors" on page 200 and "Granting or 
Removing Resource Permissions" on page 190. 


Enabling or Disabling a Data Monitor from the Editor 

Tip: You can set operations permissions on data monitor deployment by editing Access Control 
Lists (ACLs) on user groups. Administrators can allow or block user groups for data monitor 
deployment permissions. (This is different than controlling permissions on who has access to the 
data monitors resource.) 

To set permissions for deploying data monitors, click the Operations tab, then click the Add 
button to get the Permissions Selector dialog for operations, select Deploy and click OK. For more 
information, see "Controlling Who Has Permissions to Deploy Data Monitors" on page 200. 


1 . See " Editing a Data Monitor" on page 250 for information on displaying the editor. 

2. In the Data Monitor Editor, click the check box for Enable to toggle the data monitor on or off. 

■ A checkmark indicates the data monitor is enabled (deployed). 

■ If the box is unchecked, the data monitor is disabled (undeployed). 

3. Click Apply or OK on the editor to save your changes. 
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Enabling or Disabling a Data Monitor in the Navigator 

You can also enable and disable data monitors in the Navigator by right-clicking data monitors or a data 
monitor group. 

1. In the Data Monitors tab of the Dashboards resource tree, right-click a data monitor or a data 
monitor group. 

2. Choose Enable Data Monitor to deploy or activate the monitors (if disabled) or Disable Data 
Monitor to un-deploy or deactivate (if enabled). 

For information about granting permissions to user groups to enable or disable data monitors, see 
"Controlling Who Has Permissions to Deploy Data Monitors" on page 200. 


Overriding a Data Monitor's Last State 

Last State data monitors can sometimes display a status that has served its purpose as soon as you 
have seen it. Once seen, you may want to directly reset or change the status so you can watch for a 
new status change, without waiting for an automatic system update. 

Last State data monitors can be displayed as a ribbon on custom view dashboards. See "Using 
Custom View Dashboards" on page 264 for more information. 

When you see a status in a Last State data monitor that you want to reset, de-escalate, or otherwise 
override, right-click a cell in the monitor and choose Override Status. In the Select dialog box, select 
the new status and click OK. 


Managing Data Monitor Groups 

Data monitor groups store similar data monitors in a single location. You can create groups within 
groups to meet enterprise needs. 

You can manage one group at a time by drag-and-drop. You can move or copy dashboards or groups 
within the Dashboards resource tree. Deleting a group deletes the resources it contained. 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 
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Where: Resources > Dashboards > Data Monitors tab 

Creating a Data Monitor Group 

1 . Right-click a group and choose New Group. 

2. Enter a name in the text field. 

3. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

4. Press Enter. 

Renaming a Data Monitor Group 

1 . Right-click a group and select Rename. 

2. Enter a new name in the group's text field. 

3. Press Enter. 

Editing a Data Monitor Group 

1 . Right-click a group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text fields. 

3. Click OK. 

Moving or Copying a Data Monitor Group 

1. Navigate to a group and drag it into another group. 

2. Choose Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you choose Copy, you create a separate copy of the group that will not be affected when the 
original group is edited. If you choose Link, you create a copy that is linked to the original group. 
Therefore, if you edit a linked group, whether the original or the copy, all links are edited as well. 
When deleting linked groups, you can either delete the selected group or all linked groups. 

Deleting a Data Monitor Group 

1 . Right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 
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Enabling or Disabling Data Monitor Groups 

Data monitors are enabled by default. When you disable data monitors they stop processing events 
and updating their displays. You might choose to disable a data monitor group because it is not needed 
or should not be considered under certain circumstances. 

You can also enable and disable data monitors individually in the Data Monitor resource tree or Data 
Monitor Editor. 

1. In the Data Monitors tab of the Dashboards resource tree, right-click a data monitor group. 

2. Choose Enable Data Monitor to activate all the monitors in the group (if they are disabled) or 
Disable Data Monitor to deactivate them (if they are enabled). 


Optimizing the Evaluation of Event Filters for Data 
Monitors 

The information described here applies to correlation data monitors that use event filters. This topic is 
written for advanced content authors. The topic describes how to automate the optimization of event 
conditions to reduce impact on CPU usage. 

Evaluating event conditions is one of the most resource-intensive operation in event processing. ESM 
evaluates event conditions in the sequence they appear on the filter’s Filter tab. The following example 
shows event conditions: 


Event conditions 

osa 


0 II OR 


• Category Significance StartsWith /Compromise 

• Category Significance = /Suspicious 

• Category Significance = /Hostile 


The outer and inner nodes indicate nested conditions. As far as resource usage is concerned, there are 
general guidelines on how to order these conditions from the most economical to the most expensive, 
and that is, put the least costly condition on top. However, this may not be enough; you must also 
consider the TRUE/FALSE rate and whetheryou are using OR or AND operators. 


Requirement 

To optimize the evaluation of event conditions, data monitors must be of the event or correlation type 
and must be using a filter, because event conditions are defined in the filter. Filters are used not only in 
data monitors but also in other resources, for example, active channels and query viewers. However, 
event conditions in filters are only evaluated and optimized in the context of the data monitors that use 
these filters. The filters themselves are not altered by the evaluation. Refer to "Creating Filters" on 
page 286 for more information. 

Note: A data monitor can use one or more filters. In this case, all filters being used by the data 
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monitor will be optimized in memory. 


Automating the Optimization of Filter Conditions 

ESM provides the ability to have event conditons evaluated and if necessary, re-sequence the 
conditions to be evaluated through this property setting in the server. properties file: 

rule.dm.optimize.evaluation=true 


This setting automates the process of evaluating and optimizing all of your deployed rules and data 
monitors. The optimization process occurs in memory and will leave your resources intact. If there are 
changes, for example, real-time rules are updated, or the userde-activates and then re-activates the 
rule, optimization runs again. 

The following line in server, log denotes the end of optimization: 

End of conditions optimization in <n> events 


Note: Refer to the ESM Administrator’s Guide’s Configuration section for more information: 

• For detailed instructions on how to add settings to the server . properties file, refer to the 
topic, “Managing and Changing Properties File Settings.” 

• For information on the server, log file, refer to the topic, “Configuring Manager Logging.” 


Tracing the Optimization 

The tracing feature described here is optional; however, if you want to use this feature, the condition 
optimization setting must be turned on first. The tracing feature enables you to capture information 
about how your rules were optimized. The information is stored in server . log . 

To use the tracing feature, add this property setting in the server, properties file: 

r ule. dm. trace. opt imize. evaluations rue 


This setting records in the server.log file the original sequence of conditions and how these 
conditions are re-ordered (optimized). 

To locate the information in the log file, search for the the data monitor’s name. The following example 
shows the log statements that include the evaluated data monitor’s URI and a sampling of the profiled 
values. The profile describes the average time in nanoseconds a specific condition took to process. 
The condition’s position is indicated by an index starting with position 0. The profile in the log indicates 
that the costliest condition at Index 0 took an average of 1 ,227 nanoseconds over a sampling of 22: 
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[2014-08-01 12:22:19,416] [INFO 

] [default . com .arcs ight .common. simple rule sengine . engine. b] 

Optimizing /All Data Monitors/ArcSight Foundation/Intrusion Monitoring/Detail/Attack 
Monitoring/Attack Rates/Attack Rates by Service and Zones/Attacker Zones by Service 

Profiled values are 


f Tnriex=1 avnTinifi 

lndex=0, avgTime 


me=l 1 R 5 , numSample 
=1 2 2 7 \ numS amples= 


es=22, 

22 ] 


Index=2, avgTime=1189 , numSamples=23 , 


The following lines indicate the order of conditions (indicated as nodes) as originally defined. Red 
numbers correspond to the index: 


Original nodes are 




Node : category Significance StartsWith "/Compromise" 
Node : category Significance EQ "/Suspicious" © 
Node : category Significance EQ "/Hostile" (?) 


The following lines indicate the optimized order of conditions (indicated as nodes): 


Optimized nodes are 




Node : 

category Significance 

EQ 

"/Suspicious" Moved from position 1 

Node : 

category Significance 

EQ 

"/Hostile" Moved from 

position 2 

Node : 

category Significance 

StartsWith "/Compromise" 

Moved from position 0 


Observe how nodes were moved up and down to indicate which conditions are evaluated first. Index 
0, originally profiled as the costliest, is now evaluated last. 

Note: Filter conditions can have nested filters. In this case, conditions in those nested filters are 
also evaluated and optimized, but the node listing in the log will not distinguish in which filters the 
conditions are defined. 


To save a filter in its optimized state: 

If you are a content author, you can leverage the log information to modify your filter conditions 
permanently. This procedure is optional. 

1. Refer to the log and re-order the filter conditions accordingly. 

2. Save the filter in this optimized state. Repeat for nested filters as required. 

Filters may be shared with other resources, for example, active channels and query viewers. In this 
case, if you manually optimize filters used by data monitors, other resources using the same filters will 
benefit from the change. Once filter conditions have been optimized for a data monitor and even if you 
don’t manually change the filters, you may disable the optimization tool, described in "Disabling the 
Optimization Feature" on the next page. 
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Disabling the Optimization Feature 

Optimization runs only once on event filters used by data monitors and the profiles for the evaluated 
conditions are stored in the log file. Each time you disable and re-enable event data monitors, 
evaluation and optimization runs again. When the feature is no longer needed, for example, you have 
modified the event filters, you can change the optimization setting to false in server, properties. 
While the tool is disabled, any newly-deployed data monitor will not be optimized. 


Using Query Viewers 

Query viewers are a type of resource used for defining and running SQL queries. Query viewers can be 
added to the dashboard. For more information about defining query viewers and adding them to the 
dashboard, see "Query Viewers" on page 323. 


Using Custom View Dashboards 

You can create custom layouts of dashboard data. Also known as image dashboards, custom view 
dashboards enable you to create custom views of dashboard data from query viewers and from data 
monitors over an imported image, such as a geographical map. 

From the Console, custom view dashboards are displayed in the user's preferred Web browser. 

Note: Refer to the Support Matrix document applicable to your ESM version for the official list of 
supported Web browsers. 

In custom view dashboards, only drill-downs to other dashboards are supported. Custom view 
dashboards refresh event data at the same rate as regular dashboards. 


Displaying Custom View Dashboards 

There are several ways to switch from the regular dashboard view to the custom view dashboard view. 
Each of these methods loads the custom view dashboard editor in the Viewer Panel in the custom view 
dashboard’s View mode with the last configuration you saved. 

From the regular dashboard view in the Viewer panel: 

1. In the Navigator panel, goto Dashboards. 

2. Double-click the dashboard you want to open, or right-click it and select Show Dashboard. 

3. Do one of the following: 
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■ Click the Layout Selector button at the bottom of the display (o) and select Custom Layout. 

■ Right-click the dashboard tab and select Choose Layout > Custom Layout. 

■ Right-click any data monitor in the dashboard and select Dashboard > Choose Layout > 
Custom Layout. 

The dashboard is displayed on your preferred Web browser. 


Note: Below are important reminders about custom view dashboards: 

• You must save a new or edited dashboard before the custom view dashboard is accessible. 

If you are creating a new dashboard or have edited an existing one to use the Custom Layout, 
you must first save the dashboard to establish the custom layout for this dashboard on the 
Manager. 

• Custom view dashboards are displayed with the default chart and color settings. 

Usercustomizations to chart settings and color selections applied to dashboards in the regular 
viewer are not applied to the custom view dashboard view. 

. Custom view dashboard backgrounds scale to fit the available Viewer panel space. 

For more about selecting and working with background images for custom view dashboards, see 

"Loading a Background Image" on page 267. 


Refreshing the Custom View Dashboard Layout 

On the custom view dashboard, click the Reload button Jl j )on the top right of the menu bar. 

Custom View Dashboard Context Menu Options 


Both the View and Arrange modes offer the following context menu options (Ctrl, Alt, or Shift + left 
click): 

Context Menu Options for Custom View Dashboards 


Option 

Description 

Save 

Save the current dashboard layout. This option becomes available when you have 
selected a different layout using the View As context menu option. 

Data Monitor: 
Enable/Disable 

Enable or disable the data monitor. For more about enabling and disabling data 
monitors, see "Enabling or Disabling a Data Monitor" on page 257. 
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Context Menu Options for Custom View Dashboards, continued 


Option Description 

View As 

Change the data monitor view to a graphical format supported for the data monitor 
type. For more about data monitor views, see "Display Formats" on page 243. 

Auto Arrange 

Let the Console rearrange the dashboard elements in the best possible fit, 
horizontally from left to right. Any remaining available space is moved to the 
bottom. 

Choose Colors 

Set foreground and background colors. If the display format is a table, you can 
additionally associate row or cell colors with returned values. 


Reverting to the Regular Dashboard View 

You cannot display the regular view and the custom view of the same dashboard at the same time. 
Therefore, every time you show a dashboard on the Viewer panel and then display its custom view, the 
dashboard's tab on the Viewer panel becomes empty. 

If your dashboard is set to display in a layout other than Custom Layout (for example, Tab), and if you 
displayed the dashboard in custom view, that dashboard is always displayed in custom view until you 
revert to regular view, as described below: 

1. Close the browser where the custom view dashboard is displayed. 

2. Right-click the dashboard’s tab in the Viewer panel and select Close) to close the empty 
dashboard. 

3. Double-click the dashboard in the Navigator panel, or right-click it and select Show Dashboard to 
re-open the dashboard in regular view. 


Note: If you edited a dashboard and changed its Layout setting to Custom Layout, then the 
dashboard is always displayed in custom view when you right-click on it and choose Show 
Dashboard. To revert to regular view, edit the dashboard again and change its Layout setting 
to one of the other options. 


Working with Custom View Dashboards 

Custom view dashboards provide two modes: View mode for monitoring and investigating events, and 
Edit mode, for arranging and customizing background elements. 

Custom view dashboards open in the View mode. In View mode, you can select a dashboard element 
then choose a different display format. 

If there is no background associated with a dashboard from when it was created using the Dashboard 
editor, the dashboard is displayed with a white background; otherwise you see the last background that 
was added. The dashboard elements are rendered in evenly distributed rows. 
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To Select View Mode 

1. In the custom view dashboard top menu bar, select View. 

2. From the drop-down menu, select the dashboard element and the desired display format. 
Some dashboard elements may not offer other display format options. 


Arranging Custom View Dashboards 

In Arrange mode, you can customize the dashboard layout, toggle data monitors on and off, and upload 
a background image. 

When you switch to Arrange mode, chart-type data monitors appear with a yellow background. You can 
relocate, resize, and reshape all types of data monitors anywhere in the custom view dashboard view. 

Note: Changes saved to a custom view dashboard refreshes the dashboard on all ArcSight 
Consoles attached to the Manager. 

If the ArcSight Manager supports more than one ArcSight Console, any custom view dashboard 
changes saved on one Console will refresh that dashboard on the other Consoles attached to the 
Manager. 


Selecting Arrange Mode 

In the custom view dashboard's top menu bar, select Edit > Arrange. 

Loading a Background Image 

You can upload a background image to the custom view dashboard. The image you select will be 
stretched to fit the available display space in the Viewer panel, so for best results, select an image with 
adequate size and proportion to fill the space. 

1. In the Navigator panel, goto Dashboards. Double-click the dashboard you want to open in the 
Viewer panel, or right-click it and select Show Dashboard. 

2. Click the Layout Selector button at the bottom of the display (o) and select Custom Layout to 
open the custom view dashboard on the browser. 

3. On the custom view dashboard, select Edit > Upload New Background Image. 

4. In the Upload New Background Image popup, browse to the location of the image and select it. 
Then click Upload. 


Tip: If the background image is not displayed right away, refresh the custom view 
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dashboard. 

To refresh the Custom Layout view, click the Reload button ) at the top right of the 

toolbar. 


Selecting a Previously Uploaded Background Image 

If you have previously uploaded a background image that you want to load as the custom view 
dashboard background, or you want to use an image, use the File menu resource. 

1. In the Navigator panel, goto Files. 

2. Right-click a folder (for example, your personal folder) and select New File. In the Inspect/Edit 
panel, give the file a name, and click Upload. 

3. In the popup, browse to the location of the image file and click OK. The file is stored as a resource. 

4. In the Navigator panel, goto Dashboards. Double-click the dashboard you want to open in the 
Viewer panel, or right-click it and select Show Dashboard. 

5. Click the Layout Selector button at the bottom of the display (O) and select Custom Layout to 
open the custom view dashboard on the browser. 

6. On the custom view dashboard, select Edit > Choose an Existing Background Image. 

7. In the Select a File popup, select the image you uploaded to the Files resource. Then click OK. 

8. Click Save on the top right of the custom view dashboard's menu bar. 

Verifying the Background Image 

You can verify that a background image has been attached to a custom view dashboard without 
launching the custom view dashboard itself. 

1. In the Navigator panel, right-click the Dashboard resource and select Edit Dashboard. 

2. In the Inspect/Edit panel, verify the values in the following fields: 

■ Layout = Custom Layout 

■ Background = URI to the file resource for the image, or path to the image file in another drive 

Removing a Background Image 

You can remove the background image directly from the custom view dashboard or from the 
dashboard's Inspect/Edit panel. 
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To remove a background image from the custom view dashboard: 

1 . Display the dashboard in custom view. 

2. Click Edit from the top menu bar and select Clear Background. 

3. Click Save on the top right of the custom view dashboard's toolbar. 

Monitoring Active Lists 

You can directly examine and modify the active lists available in the Navigator panel's Active Lists 
resource tree. 

To view active list contents: 

1 . Choose the Active List resource tree in the Navigator panel. 

2. Right-click an active list and choose Show Entries. 

The viewer panel displays the list entries. 

To refresh the active list view: 

Active lists show results as of the time they opened for viewing, or the last time they were refreshed. 
Click the Refresh button in the view header to update the contents. 

To use the context menu on an active list view: 

Below are right-click context commands available in active list views: 


Menu Command Description 

New 

Add an entry to the active list using the Active List Entry Editor. 

Edit 

Edit the selected entry using the Active List Entry Editor. 

Delete 

Remove the selected entry from the active list. 


To add to or subtract events from an active list: 

You can add or remove event-attribute-based active list entries using selected events in the active 
channel. This feature automatically offers the name of the active list that is appropriate for the selected 
event. 

See "Adding Events from a Channel to an Active List" on page 482 for instructions. 
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To filter an active list: 

In addition to the constraints of an active list itself, you can place a temporary filter on an active list 
view to aid your analysis. Such filters are not saved with the active list. 

1 . Open an active list in the Viewer panel as described above. 

2. Click the Filter status description in the view header to open the Common Condition Editor. For 
example, the status No Filter Defined. 

3. Use the Common Condition Editor as described in "Creating Filters" on page 286. 

To clear active list views: 

While monitoring a particular active list view, you may want to see only traffic that happens after a 
certain point in time. You can accomplish this by clearing the view. 

1. In the Navigator panel's Active List resource tree, select the active list to clear. 

2. Right-click and choose Clear Entries. 

To customize active list columns: 

You can modify active list views just like other grid views, as described in "Customizing Columns" on 
page 236. 

Related topic: 

"List Authoring" on page 469 


Graphing Attacks 

You use graphic analytics to quickly identify high-volume attackers or targets at a glance. You can 
locate and typify cascading attacks (for example, worms and viruses), and isolate and analyze events 
involving interactions between two or more devices (for example, threat discovery). 

• The event data you visualize can be static (a snapshot of the selected events) or live (continuously 
updated with specified real-time event data). You create static graphs by selecting certain event 
data out of a source and displaying it as a graphic. See Creating Static Event Graphs" on the next 
page. 

• You create live graphs using a graphic data monitor type. See "Creating Live Event Graphs" on the 
next page. 

• See 'Event Graph Notes" on page 272 for descriptions of the graphical elements on an event graph. 
See also "Configuring Event Graphs" on page 87 to set or change your event graph preferences. 
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Creating Static Event Graphs 

1 . Select an array of events in a grid, data monitor, or event inspector. 

2. Right-click the selected set and choose Event Graph or Geographic View. 

The Viewer panel displays the selected events in a new view, using the graphic or geographic styles 
described below. 



Creating Live Event Graphs 

• Select an Event Graph or Geographic Event Graph data monitor in the Dashboards tab of the 
Navigator panel's Dashboards resource tree. Right-click it and choose Add to Dashboard 
As>Geographic Graph or Graph. 

• Alternatively, right-click your personal Data Monitors folder in the Navigator and choose New Data 
Monitor. In the Data Monitor Editor, in the Data Monitor Type drop-down list, choose Event Graph 
or Geographic Event Graph. Define the graphic data monitor as described in "Creating a Data 
Monitor" on page 246. 


The Data Monitor Editor has certain attributes for these types: 


Attribute Usage 

Max Event Count 

The number of most-recent events to show. Events older than this are 

discarded. 

Event Node Identifier 

The fields that are available to use to uniquely identify the event type in 
a transaction. 
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Attribute Usage 

Availability Interval 

The number of seconds for the interval between updates to the graphic. 

Show Source-Target 

Nodes as 

See "Configuring Event Graphs" on page 87. 

Source Node Identifier 

See "Configuring Event Graphs" on page 87. 

Target Node Identifier 

See "Configuring Event Graphs" on page 87. 

Show Event Nodes 

See "Configuring Event Graphs" on page 87. 


For geographic event graphs: 

Geographic Event Attributes 


Attribute Usage 

Max Event Count 

The number of most-recent events to show. Events older than this are 

discarded. 

Availability 

Interval 

The number of seconds for the interval between updates to the graphic. 


Event Graph Notes 

Link-analysis visualizations are chart-like or logically oriented. Geo-spatial visualizations are map- 
based or physically oriented. Node size indicates increasing event volume. 

Event Graph 

a 3. fan =1^*151 


■CM 

Acctpanq EfflTfi FtemV 



Each event is composed of the event node itself (a turquoise circle) and its connected source node (red 
square) and target node (white square) device assets. The source and the target may be the same 
asset. 

Blue squares indicate a combined source and target node (a “point event”). Pink nodes indicate IP 
addresses that are worm or virus infection sources for other nodes. 
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Point events occur on a single host; for example, a syslog entry for a running process. They graph as IP 
address nodes that loop to an event node and back. 

In geo-spatial displays, source and target location plotting is based on the physical addresses 
registered for IP addresses. ArcSight includes standard plotting information for this purpose. The 
addresses are plotted against a world map that you can zoom in or out. All the specific location data 
that supports this feature also appears as attributes in the Event Inspector. 

You can modify the way graphs plot events, choosing to keep the source-event-target visual 
relationships compact, or to emphasize unique sources, targets, or both in order to more easily clarify 
the nature of attacks or situations. 
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Events in Active Channels 

An active channel is a grid view in which there is a row for each event. In an active channel you can 
select which events you want to investigate. After selecting one or more events in the channel, you can 
perform several analysis and authoring tasks. 

Topics include: 

• "Selecting Events in the Active Channel" below 

• "Showing Event Details and Rule Chains" below 

• "Investigating Session Events" on page 276 

• "Collaborating on Events (Event Annotation)" on page 277 

• "Working with Event Payloads" on page 282 

• "Exporting Data Fields to a CSV File" on page 283 

• "Getting Knowledge Base Articles" on page 285 


Selecting Events in the Active Channel 

To select fields to investigate: 

Click an event or Ctrl+click a set of events. To select a range of events, click one event and 
Shift+click the event at the end of the range. 

To invert your field selection: 

Select one or more events in the channel, right-click and choose Invert selection. 

To select events with matching cells: 

Select a cell in an event, right-click and choose Select events with matching cell to see if other 
events in the channel have matching cell values. 


Showing Event Details and Rule Chains 

Rule-based correlation events are those generated by a triggered ArcSight rule as a reaction to an 
original sensor-generated event. In other words, an event concerning an event. You recognize 
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correlation events in active channels by their red Flash icon f . To mask active channels so they show 
only correlation events, select the check box at the top of the channel's left-most column. 

To display event details: 

In an active channel, select an event. Right-click and choose Show event details. The event's details 
appear in the Event Inspector. 

Note: Some system operations, for example, audit event generations, are done on behalf of a 
special system user called 1ROOTUSER. When you are investigating event details, you might 
see a user ID with this value. This user ID is valid and intended for internal use only. 

When you apply an actor field set to an event being displayed in the event inspector, you may 
experience an extended load time. 

To display simple event rule chains: 

1. In an active channel, select a correlation event. You recognize correlation events in active 
channels by their red Flash icon /. 

2. Right-click and choose Rule options > Simple chain. 

To display detailed event rule chains: 

1. In an active channel, select a correlation event. 

2. Right-click and choose Correlation options > Detailed chain. 

The events leading up to the correlation event appear in the Description panel at the top of the 
Inspector. Click any event in the chain to see its details below. 

To view forwarded correlation events and their correlated (base) events: 

Based on your requirements, you can configure the Forwarding Connector to send only the correlation 
events without the correlated (also referred to as base) events from one source Manager to a 
destination Manager. You can also configure the connector to include the correlated events 
automatically, whenever a correlation event is forwarded. 

After the correlation and correlated events are forwarded, you can view them on the destination through 
the Event Inspector. Make sure the source Manager is configured correctly according to the 
instructions in the Forwarding Connector Configuration Guide. 

To display correlation-event rules: 

1. In an active channel, select a correlation event. You recognize correlation events in active 
channels by their red Flash icon 

2. Right-click and choose Correlation options, then Show triggering resource. 
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The rule or resource that triggered the correlation event is selected in the Navigator panel's Rules 
resource tree and that rule appears in the Rules Editor. 

To execute or clear rule actions: 

1. In an active channel, select a correlation event. You recognize correlation events in active 
channels by their red Flash icon /. 

2. Right-click and choose Rule options, then Clear Rule Actions to clear all actions associated 
with this rule. 

For more information, see 'Managing Rule Actions" on page 515. 

To launch event details in a browser: 

1. In an active channel, right-click an event and choose Show event details. 

2. In the condition table of the Event Inspector, right-click and choose Launch Event Details in 
Browser. 

A Web browser opens with the selected event's details. 

To hide empty rows in the Event Inspector: 

1. In an active channel, right-click an event and choose Show event details. 

2. In the condition table of the Event Inspector, right-click and choose Hide Empty Rows. 

Investigating Session Events 

This topic explains how to use the Console's Investigate > Session Events command to refine and 
explore channels contextually, using attributes of the events already being displayed in active 
channels. 

You can investigate session list entries two ways: 

• Filter the set of entries based on the attributes of a particular entry, or 

• Create an Investigation Channel that contains only the entries that match one or more attributes of 
the initial session list entry. 

To investigate a session event: 

1 . Right-click a session list in the Navigator and choose Show Entries. 

2. In the Viewer panel, select an entry that bears investigation by clicking it. 
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3. Right-click the selected entry. The menu includes commands to Create Channel and Add 
Condition to Channel Editor. The details of each command will vary based on which column 
you right-click. 

For example, if you right-click a Source IP column containing the value 192.0.2.0, the choices 
are: 

■ Create Channel (Source IP = 192.0.2.0) 

■ Create Channel (Source IP != 192.0.2.0) 

■ Create Channel > 

■ Add Condition to Channel Editor (Source IP = 192.0.2.0) 

■ Add Condition to Channel Editor (Source IP != 192.0.2.0) 

■ Add Condition to Channel Editor > 

The sub-menus (indicated by the >) offer similar choices for all the other columns of the Session 
List entry. 

If you choose Create Channel, a channel is added to the Viewer panel. If you choose Add 
Condition to Channel Editor, a channel editor will open in the Inspect/Edit panel. 

For more information about creating and using views for investigation, see Investigating Views" on 
page 223. 


Collaborating on Events (Event Annotation) 

You can use workflow-style annotation to collaborate with other users in analyzing or reviewing 
selected events. (See also "Case Management and Queries" on page 596.) 

When you are annotating, you can make collaboration-stage changes tojust the event you originally 
selected, or have that change also affect a larger set of similar events that should also be carried 
forward in the review process. 

The central tasks in annotating events for collaborative analysis are assigning them to yourself or 
another user, then assigning them to one of the available sequential workflow stages (dispositions). 
While ArcSight comes with a default set of stages, your enterprise will very likely have customized 
these stages and created new ones. 

Compare collaborative annotation to cases, which are a more formal way to track sets of events that 
are under investigation. 

Related topics: 
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• "Annotating an Event" below 

• "Viewing Annotations for an Event" on page 280 

• "Creating or Editing Stages" on page 280 


Annotating an Event 

1 . Select one or more events in any active channel. If not already annotated, you can start a 
collaboration cycle. 

2. Right-click the events and choose Annotate Events (or Ctrl+T keyboard command). 

3. In the Annotate Events dialog box, set or change the events' Annotations fields, as described 
below. 

4. To have this change also affect related events, use the Mark Similar Events fields, as described 
below. 

5. Click OK to update the event. 

Event Annotation Fields 


Event 

Annotation 

Field 

Usage 

Stage 

Click this field to choose a different disposition state for the events' collaboration 
cycle. The default stages run from Initial to Closed. 


If you created your own stages as described in "Creating or Editing Stages" on 
page 280, these custom stages would be displayed here. 

Assign to 

Click this field to choose an ArcSight user to take the next step. 

Is 

Reviewed 

This read-only field tells you whether this event has been reviewed. 

In Case 

This read-only field tells you whether these events are already part of an ArcSight 
case. If they are, you have more ways to track their disposition. 


See "Working with Events in Cases" on page 609 for related information. 
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Event 

Annotation 

Field 

Usage 

Correlated 

This read-only field tells you whether these events are part of a correlated event chain. 

If so, you can learn more through the rules authored to control that chain of correlation. 

Note: The ArcSight Forwarding Connector can be configured to send correlation 
events along with the correlated base events from a source Manager to a destination 
Manager. However, the forwarded base events display the Correlated flag only in 
memory, which you can view on an active channel. If you want the forwarded base 
event’s Correlated flag to persist in the database, set this property in 
server . properties on the source Manager: 

logger. base-event-annotation. enabled = true 

For instructions on how to edit the server . properties file, refer to the ESM 
Administrator’s Guide’s topic on “Managing and Changing Properties File Settings.” 

Hidden 

This read-only field tells you whether these events are hidden from all but the assigned 
users of this stage. 

Closed 

This read-only field tells you whether the investigation of these events has been 
marked as closed. Closed events may no longer be visible to interested parties 
through active channels, for example. 


Comments Field 

The Comments field is for information you can add as needed to clarify the collaborative process. 

Mark Similar Events Fields 

Event “similarity,” for collaboration purposes, is defined as a combination of time constraints and 
having certain key event attributes in common. For example, you could apply a collaboration change to 
additional events received in the future on the basis of those events having the same Attacker value 
and having occurred within the last two days. 


Similarity 

Field 

Usage 

Time 

Constraints 

Choose a bracketing combination of Start Time and End Time or Duration. 

Start Time 

Date and time values to set the beginning of a time-constraint window. Choose from 
the drop-down menu of expressions or click the ellipsis button to set exact times. 

End Time 

Date and time values to set the end of a time-constraint window. Choose from the 
drop-down menu of expressions or click the ellipsis button to set exact times. 
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Similarity 

Field 

Usage 

Duration 

The length of the time window, relative to a Start Time or End Time, when using 
Duration as a time constraint. 

Criteria 

A menu of key event-attribute characteristics you can use to define similarity. The text 
box below specifies the criteria being set. 


Annotation Preservation 

With the CORR-Engine, when the day’s events are archived at the end of the day, the archive is 
permanent. If, while the archive is still online, you make changes or additions to event annotations, 
they are preserved as a supplemental archive when the archive goes off line at the end of the retention 
period. If you reactivate an offline archive and make more annotation changes, they are only preserved 
until you deactivate the archive, at which time these annotation changes are deleted. Refer to the 
ArcSightCommand Center User’s Guide for information on retention periods and archives. 


Viewing Annotations for an Event 

Annotations on an event are displayed in the Annotations tab of the Event Inspector when that event 
is selected. 

To view the annotations for an event: 

1 . Right-click an event in an active channel (such as an active channel or active list) and choose 
Show Event Details to bring up the Event Inspector. 

2. In the Event Inspector, click the Annotations tab. 

The tab displays the event's timestamp, the user name associated with the event, the stage, and 
flags. See "Annotating an Event" on page 278 for related information. 


Creating or Editing Stages 

Caution: Keep stages provided as standard content in the given folders and do not move them into 
another folder. Standard content stages are Closed, Final, Flagged as Similar, Follow-up, Initial, 
Monitoring, Queued, and Rule Created. 


1. Choose the Stages resource tree in the Navigator panel. 

2. If you are creating a stage, right-click the All Stages group and choose New Stage. 

If you are editing a stage, Right-click a stage under the All Stages group and choose Edit Stage. 
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3. I n the Stage Editor, enter a name for the stage. 

4. Make other appropriate choices, as described in the following table: 

Stage Editor Fields 


Field 

Usage 

Subsequent 

stages 

Select one or more stages to set as follow-on stages to this one. Events in this 
stage will show these other stages as options in the Stage field of the Annotate 
Fields dialog box. 

User 

required 

Select whether you want to prompt fora user assignment when assigning this 
stage. If you don't prompt for a different user, or no change is made, the current 
user remains in effect. 

Comment 

required 

Select whether you want to require users to add a comment when assigning this 
stage. 

Can be 
skipped 

Select whether this stage can be bypassed when assigning from one stage to the 
next. 

Mark 

similar 

required 

Choose whether you want events that are similar to the selected events to be 
automatically assigned to this stage. Similarity is scoped at assignment time 
through the Mark Similar Events fields of the Annotate Events dialog box you 
see when you choose Annotate in an active channel. Note that similarity 
marking applies only to subsequent events received in the future. Events already 
processed are not affected. 

Mark 

similar 

stage 

Select whether you want to use this stage as a routing mechanism for other 
stages in a workflow. When selected, assigning one or more events to this stage 
causes all following (subsequent) similar events to be automatically redirected 
to the chosen stage. Events already processed are not affected. Similarity is 
scoped at assignment time through the Mark Similar Events fields of the 
Annotate Events dialog box you see when you choose Annotate in an active 
channel. 


Note: With the assistance of HP Professional Services, you can customize the 
similarity criteria selector for Mark Similar events. In this way you can have 
conditions that are different from the defaults. This is done with the Velocity 
scripting language, by modifying certain Velocity templates present on the 
Console, in the conf ig/similarity directory. Ask your ArcSight administrator 
for more information or make a request of HP Professional Services. 

Hidden 

Select whether you want events assigned to this stage to be hidden from all but 
the assigned users (True), left visible to everyone (False), or to leave the current 
visibility unchanged (Ignore). 

Closed 

Select whether you want events assigned to this stage to be marked as closed to 
investigation (True), not marked as closed (False), or left in their previous state 

(Ignore). 
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5. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

6. Click Apply to save your changes and keep the editor open, or click OK to save and close. 

Working with Event Payloads 

An event “payload” is the information carried in the body of the event's network packet, as distinct from 
the packet's header data. From the Console, you can search, retrieve, view, save to a file, or discard 
event payloads. 

The first step in handling event payloads is to be able to locate payload-bearing events among the 
general flow of events in an active channel. 

To find payloads: 

1. In an active channel, right-click a column header and choose Add Column>Device>Payload ID. 

2. Look for events showing a Payload ID H in that column. 

To retrieve payloads: 

1. In an active channel, double-click an event with an associated payload. 

2. In the Event Inspector, click the Payload tab. 

3. Click Retrieve Payload. 

To preserve payloads: 

You can select to preserve the payload for an event in either of two ways: 

• In an active channel, right-click an event with an associated payload, choose Payload, then 
Preserve. 

Or 

• In the Event Inspector, click the Payload tab, then Preserve Payload. 

To discard payloads: 

In an active channel, right-click an event with an associated payload and choose Payload, then 
Discard Preserved. 

You can also use the Event Inspector, as follows: 
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1. In an active channel, double-click an event with an associated payload. 

2. In the Event Inspector, click the Payload tab. 

3. Click Discard Preserved Payload. 

To save payloads to files: 

1. In an active channel, double-click an event with an associated payload. 

2. In the Event Inspector, click the Payload tab. 

3. Click Save Payload. 

4. In the Save dialog box, navigate to a directory and enter a name in the File name text field. 

5. Click Save. 

To view payloads in other viewers: 

1. In an active channel, double-click an event with an associated payload. 

2. In the Event Inspector, click the Payload tab. 

3. Click Launch External Payload Viewer. 

4. View the payload using the Preferred Payload Viewer and Text to PCAP Converter, specified 
in the Console's Edit>Preferences>Programs panel. 

Exporting Data Fields to a CSV File 

You can export a set of data fields into a comma separated values (CSV) file. 

1. In the channel, select one or more events. 

2. Right-click and choose Export > Events in Channel. 

3. On the Export Events file browser, navigate to the location where you want to save the CSV file, 
then enter or select options for these fields: 

File Name Enter a file name for the CSV file. 

Note: The file name extension is not required; the csv extension is added 
automatically when the file is created. 
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Files of 

Type 

Select Comma separated values (*.csv). 

Export Data 
Options 

For “Rows, you have two options: 

■ If you choose All in channel, all events in the channel will be exported to the 
CSV file. 

■ If you choose Selected rows only, only those rows highlighted for the right- 
click operation will be exported to the CSV file. 

The default for Columns is the Export field set. You can keep the default, or 
select other field sets from a list of All Field Sets. 

(For more information on creating, editing, and applying field sets, see Creating 
and Using Field Sets" on page 546.) 

For Destination, choose Local CSV File. 


4. Click OK. 


Tip: How to limit the export to fields visible in the channel: 

The default “Export” field includes a large number of columns. Unless you have a pressing need to 
export all these fields for channel events, you might want to modify the export. Exporting a large 
field set for a large event set could be time- and resource-consuming. 

If you want the exported file to include only the fields shown in the current channel, do either of 
these: 

. If the channel is unmodified from its default (you have not added or removed fields), you can 
select the channel’s default field set on the file export option. To find the default field set name, 
edit the channel and look at “Default Field Set” name or right-click any column header in the 
channel and choose Field Set > Selected Field Set. The default field set will be selected. (For 
example, for /All Active Channels/ArcSight System/Core/Live active channel, the 
default field set is Standard-MgrRcpt. Selecting this field set on the export will give you that 
set of columns in the CSV file.) 

. If you have modified the channel from its default (added or removed fields), you can save it as a 
custom field set and then choose your custom field set on the export dialog. To save a custom 
field set, right-click anywhere on the column headers in the active channel and choose Field 
Sets > Save As. On the Field Sets Selector, navigate to the group you want, name the new 
field set and click OK. Now it will be available to choose from on the export dialog. 

The Export field set itself is also customizable. If you are sure you always want exported events to 
include a limited set of fields, you can edit the Export field set. (See 'Creating and Using Field 
Sets" on page 546 and "Editing a Field Set" on page 552.) 
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Getting Knowledge Base Articles 

Knowledge Base articles can be associated with events, rules, or any resource. Knowledge Base 
articles can have links or notes to help you respond to events. 

HTML-based articles are displayed on your default Web browser. 

To display articles from the Knowledge Base window: 

In the Navigator panel drop-down menu, select Knowledge Base. Navigate to and right-click an 
article, and choose Show Article. 

You can also choose Knowledge Base from the Help menu. 

To display articles from an active channel: 

In an active channel, right-click an event and choose Knowledge Base, then Show. Choose KB entry 
for cell, KB entry for row, or KB entry for column, then the article name. 

For more information about active channels, see "Using Active Channels" on page 228. 

To display articles from an Event Inspector: 

In the Event Inspector, right-click an event and choose Knowledge Base, then Show Article. 
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The Filters resource tree in the Navigator panel is pre-populated with some typical event filters you can 
use directly, or as templates for more specific purposes. You can create and edit your own filters and 
inline filters for use in active channels. 

Topics include: 

• "Creating Filters" below 

• "Moving or Copying Filters" on page 291 

• "Debugging Filters to Match Events" on page 291 

• "Applying Filters" on page 289 

• "Investigating Views" on page 296 


Creating Filters 

This topic discusses creating and editing filter resources through the Filter Editor. For efficient 
authoring and enterprise-wide analysis consistency, use the established filter resources available in the 
Navigator panel's Filters resource tree. These filters were designed and tested to accomplish your 
organization's analytical goals. 

Topics include: 

• "Creating or Editing a Filter" below 

• "Creating and Editing an Inline Filter" on page 288 


Creating or Editing a Filter 

If you want to make a filter available to multiple resources, follow these instructions to define a filter 
resource. 


Tip: Here are best practices for editing filters. 

. Be cautious when making changes to filters used in hierarchies. 

. Learn how to use the Common Conditions Editor (CCE). Refer to "Common Conditions Editor 
(CCE)" on page 864, "Conditional Statements" on page 879, and "Conditions" on page 880 for 
more information. 
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Where: Navigator > Resources > Filters 

1. If you are creating a filter, right-click a filter group and choose New Filter. 

If you are editing a filter, right-click that filter and choose Edit Filter. 

2. In the Filters Editor, type in the Name text field. 

The Sub Type defaults to Event Filter. 

Entering data in the Common and Assign sections is optional, depending on how your environment 
is configured. For information about the Common and Assign attributes sections, as well as the 
read-only attribute fields in Parent Groups and Creation Information, see " Common Resource 
Attribute Fields" on page 685. 

3. Go to the Filter tab and define filter conditions: 

a. In the table, scroll to a relevant event field and choose a logical operator (Op), enter a 
conditional statement (Condition). 

b. Select case-sensitivity (Aa), and select inequality or negate (Not), if appropriate. Use the 
features described in "Common Conditions Editor (CCE)" on page 864. 

Caution: Filter definitions (meaning the total text used in a filter's condition statements) 
cannot exceed 10,000 characters. If your filter uses more than 10,000 characters, create 
a second filter by splitting the definition, and use the matchesFilter operator to combine 
the two. 

4. Repeat the above step for each condition you want to add to the filter. 

■ To edit a logical operator, right-click the logical operator and choose Edit, then choose a logical 
operator and click OK. (For more information, see Logical Operators" on page 999.) 

■ To delete a logical operator, right-click the operator and choose Delete. In the confirmation 
dialog box, click Yes. The logical operator and all its condition statements are removed. 

■ To delete a condition statement, right-click it and choose Delete. In the confirmation dialog 
box, click Yes. 

5. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

6. Click Apply below the Inspect/Edit panel to update the filter or click OK to add the filter to the 
resource tree. 


Tip: Because you can reference filters in other filters, you can create hierarchies similar to style 
sheets. Plan your filtering needs so you can create filters, filter groups, and filter hierarchies that 
will promote the most efficient and consistent analysis results. 
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Creating and Editing an Inline Filter 

Tip: Steps to create an inline filter are summarized here. For more details and examples, see also 

"Filtering Active Channels with Inline Filters " on page 234. 

Inline filters offer you a user-friendly visual representation of Boolean logic, typically found in the 

"Common Conditions Editor (CCE)" on page 864. 

In any active channel grid view you can use the fields of the grid's top line to select filtering event- 
attribute values for certain columns, which will be used with implied AND operators to apply temporary 
filters and use the grid's bottom line to select filtering event-attributes values which will use OR 
operators. 

These filters are not retained with the active channel, but you can give the revised channel a name and 
save it through the Active Channel Editor. 

Note: You cannot select a grayed-out column to include in yourfilter. Grayed-out columns have 
either variables or they are a custom column. 


Where: Resources > Navigator > Active Channels 

1. In the Active Channels resource tree, open the channel to which you want to add an inline filter. 

2. In the Viewer panel, goto Inline Filter and click No Filter. This opens the inline filter pane. 

3. Select the parameters based on the active channel's columns. For example, if you want to filter 
through the column called Name, enter a name value. Click Apply. 

4. To highlight all matching events for your filter, select the Highlight check box. Highlighting allows 
you to preview the events that match yourfilter prior to saving the filter. Click Apply to activate 
the inline filter. 

You can specify the highlight color by clicking the drop-down picker and select your color. 

5. To add or delete rows to the inline filter table, click + (plus) or click - (minus). 

To create and manage multiple inline filters, click the + button next to the Highlight options under 
the inline filters to add filter definition rows. (Click the - button to remove filter rows.) The potential 
uses of multiple inline filters are extensive, but essentially this provides a means of creating a filter 
with complex conditions, inline in an active channel. For example, in the Name column for an 
event, you could specify that the event name contains “ActiveList” on the first filter row and that 
the name does not contain “Successful”. You could extend this filter by specifying what you are 
looking for in some of the other fields or even add more qualifiers on the Name field. All fields can 
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be narrowed down in this way, using multiple filter definition rows. 


To add an Inline filter, click the Edit Inline Filter button to the right of the viewer, 
above the event gird. 



Clicking the Edit Inline Filter button opens an inline filtering window. Type a value in one or more fields 
to further filter the event stream. In this example, we add an Inline filter on the Priority field to specify 
showing only events of Priority 3. Click Apply to apply the inline filter, i 


Also, you can dick the + button to add filter definition rows and create multiple inline filters. Click the - 
button to remove rows. 
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When you click into a field, you get an equals operator, a drop-down list of available values for that field 
based on the events currently displayed, and an ellipses (...) indicating another dialog is available. 

/— If these inline options are not enough to create the filter, dick the ellipses (...) 

to bring up a Conditions Editor dialog in which to create the filter for the selected field. 
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Applying Filters 

This topic discusses how to apply the filtering resources in the Navigator panel to other filterable 
analysis resources: active channels, SmartConnectors, filters, reports, and rules. 

To add filters to resources: 

You apply existing filters to other resources by referencing them in those resource editors. 
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1. Right-click a resource in the Navigator panel such as a filter or rule and choose Edit <resource>. 

2. Click the editor's Conditions tab if it isn't already at the front. 

3. In the Inspect/Edit panel, click the Filters button and select a filter in the Filter Selector dialog box. 
The selected filter becomes a new condition line in this resource's filter. 

4. Click OK or Apply to save the resource's definition including its new filter reference. 


Note: You can use hierarchies of filter references (including filters within filters) to better 
manage them, similar to style sheets. 


To apply resources as filters to active channels: 

You can quickly apply or test the effects of using particular SmartConnectors, assets, categories, 
zones, vulnerabilities, customers, stages, or filter resources as conditions to filter active channels. 
These filters make the referenced resource a condition for the channel in use. You can choose to make 
the condition exclusive or additive. 

1. Open the channel to filter in the Viewer panel. 

2. In an applicable resource tree in the Navigator panel, right-click an item and choose Set as 
current filter or Add to current filter. The filter change takes effect automatically and the 
channel's header immediately shows the new filter condition exclusively (set as) or as an addition 
(add to). 

3. You can click the filter description in the channel's header to open the filter in the Active Channel 
Editor. 

To remove a filter condition from a resource: 

You use the Filters tab of a resource's editor to change or remove any filters that affect it. 

1. In the Navigator panel, right-click the filtered resource and choose Edit <resource>. 

2. In the Inspect/Edit panel, click the Filter tab of the resource's editor. 

3. In the Conditions editor, right-click the statement that imposes the condition you want to remove 
and choose Delete. 

4. Confirm the deletion and click Apply to restart the channel. 


Note: Using enforced filters 

You can designate the events which users can see by adding filters to the user group's Events tab 

on the ACL Editor. Refer to "Adding or Removing Enforced Filters" on page 196. 


HP ESM (6.9.1c) 


Page 290 of 1106 




ArcSight Console User's Guide 
Chapter 1 1 : Filtering Events 


Moving or Copying Filters 

1. In the Filters resource tree, navigate to a filter and drag and drop it into another group. 

2. Choose Move to move the filter, Copy to make a separate copy of the filter, or Link to create a 
copy of the filter that is linked to the original filter. 

If you choose Copy, you create a separate copy of the group that will not be affected when the 
original group is edited. If you choose Link, you create a copy that is linked to the original group. 
Therefore, if you edit a linked group, whether the original or the copy, all links are edited as well. 
When deleting linked groups, you can either delete the selected group or all linked groups. 


Deleting Filters 

Be careful about deleting filters. Verify first if these filters are being used by other resources. See 

"Applying Filters" on page 289 for more information. 

To delete a filter resource: 

1. In the Filters resource tree, right-click a filter and choose Delete filter. 

2 . In the dialog box, click Yes. 

To delete an inline filter: 

In the active channel header, right-click the inline filter definition and choose Remove Inline Filter. 
Or: 

1. Click the Inline Filter edit button (^) to display the inline filter parameters. 

2 . Click inside the inline filter grid. 

3. Click Clear then click Apply. 

The active channel is restored to its original unfiltered view. 

Debugging Filters to Match Events 

You can use a filter debugger to test whether a selected filter matches a certain type of event and, if 
there are mismatches, to determine which filter conditions are not matching the event details. 
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To debug a filter, (1) select an event (in a channel) that represents 
the type of events you want to capture with the filter, (2) right-click 
and choose Debug Filter, then (3) select the filter and dick OK. 

If the filter conditions match the selected event, the filter will capture 
Events in a Channel O a |i events like the selected one. 

& & o ^ ^ 

^ o ^ ^ ^ 



On an Active Channel, select the kind of event you want to capture and test (debug) your filter against 
it. 

The new debug filter utility is available as a right-click option on an event in an active channel. The filter 
debugger compares the conditions in a selected filter with the metadata that describes the selected 
event to determine whether the filter would capture such events. The filter definition is displayed to 
show the results of this comparison. 

• If the selected filter matches the event, the filter definition shows no errors or mismatches. 

• If the filter does not match the event, the filter definition highlights the mismatches between the filter 
conditions and the selected event with red-highlighted X’s. 


Note: The display of red highlighted X’s in a filter as a result of filter debugging on an event do 
not necessarily indicate that the filter is invalid. Red highlights are shown here only to highlight 
where the selected filter does not match the selected event. 


To debug a filter against an event: 

1 . Select an event in the viewer in an active channel against which you want to test a filter. 

2. Right-click and choose Debug Filter from the context menu. 


15 Aug 2013 09:08: 17 PDT 

ActiveList entry added 

Show Event Details 

Correlation Options ► 

Investigate ► 

15 Aug 2013 09:08: 17 PDT 

ActiveList entry added 

15 Aug 2013 09:08: 17 PDT 

ActiveList entry added 

15 Aug 2013 09:08: 17 PDT 

ActiveList entry added 

15 Aug 2013 09:08: 17 PDT 

ActiveList entry added 

15 Aug 20 13 09:08: 15 PDT 

QueryViewer Query Succeeded 

15 Aug 20 13 09:08: 15 PDT 

Start event: query viewer generation . 

Debug Filter... 

15 Aug 20 13 09:08: 15 PDT 

UnassignedResourcesGroup [Filter] ins 

Debug Event Priority 



3 


3. In the filter selector dialog, navigate to and select the filter you want to test, as in the following 
example: 
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Filter Selector 


B IB Filters 

(2 EH admin's Filters 
0 l& Shared 
B B All Filters 

@ ArcSight Administration 
2 ED ArcSight Core Security 
2 E3 ArcSight Foundation 
0-Ev ArcSight System 

2 B Asset Auto-Creation 
2 B Connector Filters 
2 Cl Core 
2 Event Types 

0 ArcSight Correlation Events 
0 ArcSight Events 

E l 

0 ASM Events 

0 Blocked ArcSight Internal Events 
0 Correlation Events 
Is] Non-ArcSiaht Events 

III I ► 


OK 


Cancel 


Help 


In a few moments, the Debug Filter dialog displays the filter’s event conditions with applicable 
indicators, as follows: 

■ If the selected filter matches the event, the Debug Filter dialog displays the selected event with 
green checkmarks. 

■ If the filter does not match the event, the Debug Filter dialog displays the selected event with red 
Xs. 

The following example shows the debug filter results that found a combination of matches and 
mismatches: 


The filter definition highlights the mismatches between the filter conditions and 
the selected event with red highlighted X's. 



If you find a mismatch, you can use the Event Inspector to check the field 
values present in the event by right-clicking the event in the channel and 
choosing Show Event Details. 




- 
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In the example, you see an OR condition comparing two events. The evaluation process found 
no match in the first set of conditions and found matches in the second set of conditions. The 
particular filter we selected, ArcSight Internal Events, happens to have a third condition to 
match another filter, ASM Events. However, this third condition was skipped since evaluation 
stopped once matches were found. 


Note: The presence of red Xs in a filter as a result of filter debugging on an event does not 
necessarily indicate that the filter is invalid. Red Xs are shown here only to indicate where 
the selected filter does not match the selected event. Each event can yield different debug 
results. 


For more information about using the Event Inspector to investigate events, see Inspecting and 
Editing" on page 48 and "Event Inspector" on page 988. 

See also "Creating Filters" on page 286 and "Applying Filters" on page 289. 


Importing and Exporting filters 

To import and export filters, use the packages feature as described in "Managing Packages" on 
page 693. Portable ArcSight packages can automatically manage dependencies across resources and 
other packages. 

For information on how to import and export filters on SmartConnectors, see Importing and Exporting 
SmartConnector Configurations" on page 173 (especially the topics on "SmartConnector Filters" on 
page 175 and "Adding SmartConnector Filter Conditions" on page 159). 


Managing Filter Groups 

Filter groups are created to store similar groups or filters in a single location. Groups can be created 
within groups to meet enterprise needs. When a group is created within a group, the new group inherits 
the existing group's access control list (ACL). 

Caution: Do not exceed more than 10,000 resources in a group. 

Groups and filters can be managed with drag and drop functionality. You can move or copy groups and 
filters into other groups. If a group is deleted, the filters within that group are also deleted. 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 
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To create filter groups: 

1. In the Navigator panel, choose Filters. 

2. In the Filters resource tree, right-click a group and choose New Group. 

3. In the Name text field, type in a name. 

4. Press Enter. 

To rename filter groups: 

1. In the Filters resource tree, right-click a group and choose Edit Group. 

2. In the Name text field, rename the group. 

3. Press Enter and click OK. 

To edit filter groups: 

1. In the Filters resource tree, right-click a group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text fields, and press Enter after each. 

3. Click OK. 

To move or copy filter groups: 

1. In the Filters resource tree, navigate to a group and drag and drop it into another group. 

2. Select Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you select Copy, you create a separate copy of the group that will not be affected when the 
original group is edited. If you select Link, you create a copy of the group that is linked to the 
original group. Therefore, if you edit a linked group, whether it be the original or the copy, all links 
are edited as well. When deleting linked groups, you can either delete the selected group or all 
linked groups. 

To delete filter groups: 

1. In the Filters resource tree, right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 
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Investigating Views 

This topic explains how to use the Console's Investigate command to refine and explore channels 
contextually, using attributes of the events already being displayed in grid views. 

The Investigate command uses these attributes, and the values found in their events, to automatically 
formulate simple filters or conditions. 

When you create or refine a filter through Investigate, the Viewer panel automatically opens a new view 
of the channel with the filter applied. You explore the filter's effect in this view. You can keep the view 
by saving the channel under a new name, or discarding it by right-clicking in the grid and choosing 

Close. 

Following is a temporary view created with the Investigate command: 



When you use Investigate to add a condition to a resource editor such as Rules or Filters, the condition 
appears in the editor panel where you can modify it or click Apply to put it into effect. 

The new or modified views you generate with the Investigate command can be grids, or you can 
choose to display them in applicable chart formats using the Viewer Selector icon in the lower-right 
corner of the Viewer panel. 

To learn more about the event attributes these options use, see "Data Fields" on page 885. 
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Using an Event Attribute to Show a New Filtered 
View 

These options completely control the new view created, ignoring the filter in the original view. You most 
often use them to test and explore. 


In a grid view, right-click an attribute (column) in an event listing and choose Investigate, followed by 
one of these options: 


Option Use 

Create Filter 
[Attribute= Value] 

Show only those events in which the selected attribute matches the value in the 
selected event. 

Create Filter 
[Attribute!=Value] 

Show only those events in which the selected attribute does not match the value 
in the selected event. 

Create Filter [List 
of Related 
Attributes=Value, 
!=Value] 

When the selected attribute is of a type that has related attributes, choose to 
show only those events that do (or do not) match one of the related attributes on 
the additional menu. Generally, attributes are considered related if they share a 
common focus such as IP addresses. 


Refining a Filter with an Event Attribute 

These options open a new view that uses aversion of the prior filter modified to include the new filter 
component just selected. You usually apply these as part of a filter-refinement process. 


In a grid view, right-click an attribute (column) in an event listing and choose Investigate, followed by 
one of these options: 


Option Use 

Add 

[Attribute= Value] 
to Filter 

Show only those events that match both the prior and new filter elements. 

Add 

[Attribute!=Value] 
to Filter 

Show only those events that do not match both the prior and new filter elements. 

Add to Filter [List 
of Related 
Attributes=Value, 
!=Value] 

When the selected attribute is of a type that has related attributes, choose to 
show only those events that do (or do not) match one of the related attributes on 
the additional menu. This filtering element is applied in addition to any other 
already present. Generally, attributes are considered related if they share a 
common focus such as IP addresses. 
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Filtering Out ArcSight Events 

You can modify existing filters to refine your view to show only the events you want to see. Suppose 
you have an active channel that includes both system events and non-system events, but you want to 
see only the non-system events. 

To modify the filter of the channel: 

1 . Double-click the filter in the channel header to get the channel editor. 

2. Click the Filter tab in the channel editor. 

3. Add this condition to the filter (with an AND): 

!=NOT MatchesFilten("/All Filters/ArcSight System/Event Types/ArcSight Internal 
Events”) 

.yf Event conditions 
? {} eventl 
9 !=NOT 

Si MatchesFilter("/AII Filters/ArcSight System/Event Types/Arcsight Internal Events") 

To create or customize active channels in other ways, follow this same approach. Find a filter that does 
what you want and add condition statements to filters for a channel. Or, as in the example above, find a 
filter that does the opposite of what you want, add it to a channel, and negate the condition statement 
as shown above. Since we wanted to limit the channel to show only non-ArcSight events, we found the 
ArcSight Events filter, added the ArcSight Events condition to a channel, and negated it to get the 
effect of filtering out all ArcSight events 


Adding an Event Attribute to a Filtering Condition 

The Add condition to editor options apply to the editor in the Inspect/Edit panel that currently has 
focus. If no editor is open, the default target is the Filters Editor. 

To add an event attribute: 


In a grid view, right-click an attribute (column) in an event listing and choose Investigate, followed by 
one of these options: 


Option 

Use 

Add Condition 
[Attribute=Value] 
to Editor 

In the current editor, insert a new condition in which the selected attribute 
matches the value in the selected event. 
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Option Use 

Add Condition 
[Attribute!=Value] 
to Editor 

In the current editor, insert a new condition in which the selected attribute does 
not match the value in the selected event. 

Add Condition to 
Editor [List of 
Related 

Attributes=Value, 

!=Value] 

When the selected attribute is of a type that has related attributes, add a 
condition to the current editor using the available list of attribute-value pairs that 
do (or do not) equate. Generally, attributes are considered related if they share a 
common focus such as IP addresses. 


To remove a condition from the editor: 

Right-click it and choose Delete. 

When you are using these options to affect a view that is subject to the editor in use, click Apply or OK 
in the editor to put the condition into effect. 

Contextual filters (in contrast to conditions) are temporary unless you save the modified view as a 
named active channel. Condition statements are saved with their relevant editors. 


Modifying Views 

This topic covers the use of “inline” (in the grid itself) grid view filtering options. The inline filter is the 
row of blank event values you see at the top of any grid in the Viewer panel. 

Inline filtering directly affects the current view. Changes you make to a grid view by inline filtering also 
apply to any other versions of the view you open such as its applicable chart types. Inline filters are 
temporary unless you save the modified view as part of a named active channel. 

To modify a view with inline filters: 

Use inline filters by clicking the inline fields at the top of view columns and choosing an event-attribute 
value to use as a constraint. When you choose multiple fields, they automatically form AND 
conditions. Click the Checkmark icon to apply yourfilter selections. 

To undo an inline filter: 

1. Click any of the filter fields in the top line of the grid view to show the inline filter control buttons. 

2. Click the X (clear) button to remove the current filter elements and restart the view. 

For details on working with filters and inline filters, see "Creating Filters" on page 286 and 'Filtering 
Active Channels with Inline Filters " on page 234. 

Tip: If you want the modified view as a permanent view, use the Navigator panel's Active Channel 
resource tree to open the view's channel in the Active Channel Editor. Then save the channel with 
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a new name. 
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A query is an ArcSight resource that defines the parameters of the data you want to report on derived 
from an ArcSight data source. The result of the query then becomes the basis for one or more ArcSight 
report and trend. The Query Editor is a component of ArcSight Reporting resource tools. 

Queries are used in: 

• Reports. See "Creating Reports" on page 379 for more information. 

• Query viewers. Additionally, if you want to run quick SQL queries for monitoring and analysis 
outside of the reporting resource, you can use query viewers. You can add query viewers to 
dashboards and generate simple reports on query viewer results. For information on query viewers, 

see Query Viewers" on page 323. 

• Trends. See 'Building Trends" on page 427. 


How Queries Work 

As a data source, queries can use the database of events, actors, modeled network objects (assets), 
cases, notifications, case-sensitive session lists or active lists, or data gathered from a trend. 


Query 



In a query, you select the data fields you want to report on, specify any additional functions you want 
run on them (such as sum, average, and so on), and any sort or group-by conditions you want to add, 
such as grouping results by source address, zone, or priority. 


Using Queries and Trends Together for Reports 

A query can be used as the primary data source for a report. Or, a trend (based on one query) can be 
used as the data source to another query that further refines the initial query result. A collection of trend 
queries (queries that use trends as their data source) can provide focused views of a data set which 
can then be fed into a single report or multiple reports. 

For a more detailed description of the relationships you can build between queries and trends for 
reporting, see the "Query-Trend Relationships in Reporting" on page428. 
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Tip: 

While running reports or trends, if you run into an error about the inability to run the query because 
temporary sort space is exceeded, refer to the recommendations on how to increase the sort 
space size in the Troubleshooting section of the Administrator’s Guide. You may also want to 
further refine queries being used by reports and trends. 


Using Queries in Query Viewers 

You can use queries built for reports in query viewers, outside of the reporting paradigm. Query viewers 
provide a channel-style view of SQL query results but are not limited to events in terms of scope. They 
provide high-level summaries to monitor system health, reveal trends, and allow for drill-down and 
investigation of all types of resources across time. Query viewers are performance-tuned to work with 
trend tables rather than event tables, and so can return results much faster than active channels. 

Query viewers include their own simple reporting option by which you can initiate a report on the query 
results from the query viewer. 

For more about using query viewers, see "Query Viewers" on page 323. 


Building a Query 
Navigating to Queries 

In the Navigator panel, select Reports resource from the drop-down menu and click the Queries tab. 


Navigator 

ri 1 ? x 

Resources 

Packages | Use Cases 

Q Reports 

Ctrl+Alt+R •» 


Queries 

B* admin2's Queries 

VPN Logins Outcome - Hourly 
- K? Shared 

mm All Queries 

© IB ArcSight Administration 
@ B ArcSight Foundation 
© -0 ArcSight Solutions 
i) ArcSight System 
mm Downloads 
© [JZ^ Personal 
© Q Public 
©~Q Unassigned 
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Creating a New Query 

Caution: Do not exceed more than 10,000 resources in a group. 

The high-level steps for creating a query are as follows: 

1 . Right-click a group (folder) and select New Query. This launches the Query Editor in the 
Inspect/Edit panel. 

Note: As a general rule, create new content in the user's own folder. 

2. Define "General Query Attributes" below. At a minimum, fill in the required values (red asterisks) 
on the General tab. 

3 . Define a schema for "Query Fields" on page 308. 

4. Create "Query Conditions" on page 316. 

5. Define Query Variables (optional). 

6. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

7. Click Apply or OK to create the new query. 


Note: Be sure to click Apply or OK frequently to save settings intermittently as you work 
through the above steps. Clicking Apply saves settings and leaves the Editor open. Clicking 
OK saves settings and closes the Editor for this query. If you do not apply or accept settings 
using these buttons, your settings are not saved. 


Defining Query Settings 

Use the Query Editor to build a new query or edit an existing one. Query settings are defined on multiple 
sub-tabs. 


General Query Attributes 

The following fields in the Query section are required attributes that must be specified when creating a 
new query. 
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General Query Attributes 


Query 

Fields 

Description 

Name 

Name for the query. Spaces and special characters are OK. This is an alias for the 
query that appears in pick lists in other editors. 
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General Query Attributes, continued 


Query 

Fields Description 


Query on 


From the drop-down menu, select one of the following data sources: 


. Event - Select Event if you want to create a report or view trends on event activity 

. Active List - Select Active List to query or view trends on list entries. Additionally 
select a "Query Type" on the next page. If you are creating a list query with asset- 
related conditions, see also "Example: Creating Asset-Related Conditions for 
Queries on Lists" on page 320. 

For more about active lists, see "List Authoring" on page 469. 

Cautions: 

■ For good query performance, query on case-sensitive lists only. 

■ If the active list contains list fields that reference resources (for example, a field 
that uses any Group variable function), and the query is used by a trend, that 
trend will not display the list of resource references. Rather, the trend will 
display only one list element. This limitation does not affect reports and query 
viewers. 

. Actor - Select Actor to query or view trends on actor information. (For more 
information on actors, see "Actors" on page 740.) 

. Asset - Select Asset if you want to report or view trends on statistics about the 
assets on your network, such as a list or count of assets categorized in a particular 
asset category, or the zone a particular asset is in at a particular time. (For more 
about assets, see 'Modeling the Network" on page 98.) 

. Case - Select Case if you want to report or view trends on the status of cases, such 
as number of cases opened and resolved. (For more about cases, see Case 
Management and Queries" on page 596.) 

. Notification - Select Notification if you want to report or view trends on the status 
of events sent out in the notification workflow, such as number of events in the 
Investigate stage. (For more about notifications, see "Managing Notifications" on 
page 203.) 

. Session List - Select Session List to query or view trends on session activity. 

If you are creating a list query with asset-related conditions, see also "Example: 
Creating Asset-Related Conditions for Queries on Lists" on page 320. 

For more about session lists, see "Managing Session Lists" on page 485. 

Caution: For good query performance, query on case-sensitive lists, only. 
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General Query Attributes, continued 


Query 

Fields 

Description 

. Trend - Select Trend if you want to report or maintain trend information on the data 
gathered in another trend. For instructions about how to build a trend, see "Building 
Trends" on page 427. 

Query On 
Resource 

Available for queries on active and session lists. Select a list from the drop-down 
panel. 

Query 

Type 

Available for queries on active lists. Select one: 

. Snapshot - Select Snapshot if you want the query to return values from the active 
list with no historical baseline. 

. Interval - Select Interval if you want to view values within a specified period. 

Start Time 

This field only appears if you are querying on an interval active list, event, or trend. 

Enter values depending on the data source you selected: 

. Active List, Interval type - Specify the starting point for the data gathering from 
the specified active list. 

. Event - Specify the starting point for the data gathering from the events database. 
Event data is generally kept unarchived for 30 days by default, so specify a start 
time within that time frame. 

. Trend - Specify the starting point forthe data gathering from the trends database. 

Be sure to specify a period within the lifecycle of the trend; otherwise, the query 
returns an empty result set. 

Tip: If the query is used as a base query in a trend, the trend start time overwrites the 
start time set here. See "Trend Parameters" on page 437. 

End Time 

This field only appears if you are querying on an interval active list, event, or trend. 

Enter an end time depending on the type of source data you selected: 

. Active List, Interval type - Specify the ending point forthe data gathering from the 
specified active list. 

. Event - Specify the ending point for the data gathering that is some time after the 
starting point. Keep in mind that large time spans can mean large amounts of data, 
which can affect system performance. 

. Trend - Specify the end point forthe data gathering that is some time after the 
starting point. 

Tip: If the query is used as a base query in a trend, the trend end time overwrites the 
end time set here. See "Trend Parameters" on page 437. 
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General Query Attributes, continued 


Query 

Fields 

Description 

Use as 
Timestamp 

This field only appears if you are querying on an interval active list, event, or trend. This 
field indicates which value to use as the timestamp for the report itself. This value 
helps with sorting and scheduling. 

The following options are available for queries on events and trends: 

. End Time - Select End Time if you want to use the event or trend end-time you 
specified in the End Time field. The timestamp reflects the event end time. If you 
are querying on a trend, select this option. 

. Manager Receipt Time - Select Manager Receipt Time to use the time the event 
was received at the Manager. If you are querying on a trend, this is probably not an 
appropriate option to choose because in that case, Manager Receipt Time would 
indicate when the trend is run, rather than when events are received by the 

Manager. 

The following options are available for interval queries on active lists: 

. Date-based field on the active list - This is the default, if such field exists in the 
active list. 

. Creation Time - When the list was first populated (created) 

. Last Modified Time - When the list was last updated 

Row Limit 

Set the row limit for the data table. The default is 10000 rows. 

Tips: 

. The row limit you set here determines the row limit for reports using this query. 
Consider how row limit will affect report readability. For example, if you have a 
simple chart with just the X- and Y- axes, you might want a maximum of 20 rows for 
a single-page chart. For stacked charts, your data points still correspond to the row 
limits but but two or more will be on the same column. See also 'Selecting Data for 
the Z-Axis on a Chart (Optional)" on page 391 for additional information. 

. If the query is used as a base query in a trend, the trend row limit overwrites the row 
limit set here. See "Trend Parameters" on page 437. 

Distinct 

Rows 

This setting means only unique (distinct) rows appear in the results. For example, if 
you checked this box and there are duplicate returned rows, only one of them is shown. 

Database 

Hint 

This option does not apply to CORR-Engine. 


The example below shows a query definition for VPN Logins Outcome - Hourly that returns VPN login 
attempts over a one day period each time it is run (Start Time is $Now - Id and End Time is $Now). 
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Tip: Entering data in the Common and Assign sections is optional, depending on how your 
environment is configured. For information about the Common and Assign attributes sections, as 
well as the read-only attribute fields in Parent Groups and Creation Information, see Common 
Resource Attribute Fields" on page 685. 


Query Fields 

The Query Fields tab contains the following main options with which to define query data and 
structure: 

• "SELECT Query Fields" on the next page 
. "ORDER BY Query Fields" on page 314 
. "GROUP BY Query Fields" on page 311 
. "ORDER BY Query Fields" on page 314 

Tip: Drag-and-drop is available on Query Structure panels. 

You can drag-and-drop items between options (for example, to group by Category Outcome, 
drag it from SELECT to GROU P BY. It stays in SELECT but is also used to GROU P BY) 

Search Shortcuts 

■ Type part of the field name to find (for example, Name) in the Search box. 

■ Use the up/down arrow keys to jump to each instance of “Name” in the available fields. 
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■ When you find the field name you want, press Return to add it to the condition statement 
under the selected section (SELECT, GROUP BY, or ORDER BY) 

■ Ctrl+F gets the Search box back in display if it’s hidden 

Common Conditions Editor (CCE). The Query Editor, like other resource editors, uses the 
CCE for building conditional statements (query structure). For more tips on using the CCE, see 

"Common Conditions Editor (CCE)" on page 864. 


SELECT Query Fields 

Click Add SELECT columns to select the data for the query. Data selected enters one big bucket, 
and any functions set for any of the data fields is performed on the entire bucket of data. 


Drag and Drop items 
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group by Category Outcome, 
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Tip: Fields in shown in italics on the Data Options panel are derived, referenced, or side table 
fields (rather than “hard event data” in the main database tables). See also, 'Data Fields" on 
page 885 and "Variables" on page 1 069. 


Query Structure (SELECT) 

The Query Structure section at the top provides a summary of the fields selected in the SELECT 
section at the bottom. If you add GROUP BY or ORDER BY settings, these show up here also. 

You can select from Fields and Global Variables, Field Sets, or Local Variables as data to build the 
query. Choosing afield set limits the fields shown to the selected field set. 


• Click afield or variable (checkmark it) to select it. 

• Click again (remove the checkmark) to deselect it. 

• To edit afield or variable that you already have set as a query condition (showing under SELECT), 

simply double-click it or select it (click once) and click the Edit button (- ) in the toolbar. (For 
example, you might want to edit the query by adding a function to it, as described in "Applying 
Functions to SELECT Columns" below.) 

• To duplicate afield or variable that you already have under SELECT, select it (click once) then click 
the Duplicate Column button ( ° ) in the toolbar. 


To move column up or down, select it and click the up or down arrow in the toolbar. 

, Move selected condition up or down 




Edit selected condition 


Ti 


Duplicate Column 


"■ tP~ 


3 


You can also select a condition item and right-click to get the various Edit options (Edit, Copy, Delete, 
Duplicate, and so forth). 


Applying Functions to SELECT Columns 

Optionally, you can specify an aggregate function on a particular column of data, such as a line item 
count, or in the case of numeric data, a sum or average 

If the query is not grouped by one or more columns, then aggregate functions added here are applied to 
the whole result set. 

If the query is grouped by one or more columns, then the aggregate function is performed on each group 
individually. 

Adding a function adds a data field to the query schema that provides the results of the function, which 
can later be displayed in a report. 
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To specify a function for column data, double-click afield or variable in the top pane under “SELECT” 
and select a Function (from the drop-down menu) to apply to the column data. 


SELECT 

Count(Category Outcome) COUNT 


None ▼ f 

•W 

O 






GRC 


- COUNT k 

MAX 

MIN 


columns 


itcome 


The available functions are: 


• COUNT - Count the number of line items returned in this column. 

• SUM - Add all numerical data in a column, such as aggregated event count. 

• AVERAGE - Calculate the average of all numerical data in a column, such as aggregated event 
count. 

• MAX - Calculate the top values of the items returned in this column. 

• MIN - Calculate the lowest values of the items returned in this column. 

• Standard Deviation (STDD V) - Calculate the variation from the “average” (mean) for this column. 
(Square root of the variance.) 

• VARIANCE - Calculate the amount of variation within the values returned for this column. 


Select Unique to apply the function only to unique values in the column. (For example, the target 
address column may have 50 items in it, but only three are unique. To get a count of unique target 
addresses, check the Unique box.) 

Click the green checkmark button ( ) to add the function. 

To remove a function from a field, select the field, change the function selection to None, and click the 
green checkmark button again. 

To cancel a modification to a function, click the (O) button or simply click elsewhere on the Ul (off of 
the Function menu.) 


GROUP BY Query Fields 

Click Add GROUP By to divide query results into separate buckets. For example, you could do a 
“group by” if you are interested in sorting items by timestamp, such as logins between 3 and 5 p.m. 
Functions on GROUP BY data apply to timestamp based fields only. 
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Inspect/Edit 

| Event Inspector ^ Query Edtor 


Drag and Drop items 
between options (e.g. r to 
group by HOUR, drag it 
from GROUP BY to 
ORDER BY. It remains in 
GROUP BY but is also 
used to ORDER BY) 


Choose Columns: 

Select one or more 
data fields to 
determine which fields 
to group by, then click 
the arrow to move it 
to the Query Columns 
area. 


°-1 


General [ Rdlfc fcondWons \ local Variables If Notes 


Query Structure 

mm - - 


SELECT 

Count(Category Outcome) COUNT 
Category Outcome 
Add •SE L ECT columns 
GROUP BY 

Category Outcome 
O Hour 


ORDER BY 

O Add •ORDER BV columns 


GROUP BY 

I Reids & Global Variables 1 Reid Sets ; Local Variables 


Choose fields from: [select a Reid Set 




Al Event Fields 

[~~I Aggregated Event Count 

□ Appfccabon Protocol 

□ Bytes In 

□ Bytes Out 

I~1 Concentrator Agents 
n Concentrator Devices 

□ Correlated Event Count 
[~~1 Crypto Signature 

i~l Customer 
n Customer External ID 
I~1 Customer ID 
n Customer Name 
n Customer UR/ 
n Domain 

[~1 Domain External ID 
n Domain ID 
f~l Domain Name 
[~] Domain UR! 

[~1 End Time 

□ Event ID 

□ Event Outcome 
n External ID 
□I Generator 


Search for: 



X < 







OK 

Cancel 

1 1 1 t** | 


Query Columns: 

Shows columns 
selected for the 
group by. 


Search Shortcuts: 

Type part of the field name 
you want to find (e.g., Name) 
in the Search box. 

Use the up/down arrow keys 
to jump to each instance of 
"Name" in the available fields. 

When you find the field name 
you want, hit Return to add it 
to the selected query 
structure sections (SELECT, 
GROUP BY, or ORDER BY) 

Ctrl+F gets the Search box 
back in display if it's hidden 


Tip: Fields in shown in italics on the Data Options panel are derived, referenced, or side table 
fields (rather than “hard event data” in the main database tables). See also, ’Data Fields" on 
page 885 and "Variables" on page 1069. 


Query Structure (GROUP BY) 

The Query Structure section at the top provides a summary of the fields selected in the GROUP BY 
section at the bottom. SELECT and ORDER BY settings show up here also. 
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Adding and editing fields and variables to order by works similarly to adding them for SELECT. See 

"Query Structure (SELECT)" on page 310. 


Applying Time-Based Functions to GROUP BY 
Columns 

You can specify a time-based function on the group by column of data. Time-based functions apply 
only to time-based fields, such as event end time. 

To specify a function for GROUP BY column data, double-click afield or variable in the top pane under 
“GROUP BY” and select one of the available time-based functions (from the drop-down menu) to apply 
to the column data. 

General 1 Mk ( Condbcns j local Vanafcle* j Note* | 

Query Structure 

1*3 w 'Jb 

SELECT 

Count(Category Outcome) COUNT 
Category Outcome 
Hour 

Add ’SELECT columns 

GROUP 8Y 

Category Outcome 
Hour 

lEnd Tene 

Add group BT columns 

ORDER BY 

Category Outcome ASC 
Add 'ORDER BYcolumns. 

" 1 * r * \ 


SELECT 

Count(Category Outcome) COUNT 

Category Outcome 

Hour 

Add 'SELECT' columns 
GROUP BY 

Category Outcome 
f v Hour 


None 

-J G 

\-c< 

I Second 

Hrute 

V columns 

:ome ASC 
f columns 


‘ Day 

D«yOftVe«L H 
DoyOIMonttV 


Wedc 



GROUP BY 


Functions on items under GROUP BY create a separate bucket of data for each time function 
specified. 

To specify a function for column data, select a data field in the Query Columns section then select a 
Function (from the drop-down menu) to apply to the column data: 

• Second - Creates a new bucket for all events that occur in the same second. 

• Minute - Creates a new bucket for all events that occur in the same 60-second period. 

• Hour -Creates a new bucket for all events that occur in the same 60-minute period. 
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• Day - Creates a new bucket for all events that occur in the same 24-hour period. 

• DayofWeek- Creates a new bucket for all events that occur on the different days of the week, such 
as Monday, Tuesday, and Wednesday. 

• DayofMonth - Creates a new bucket for all events that occur on various days of the month, such as 
the first, second, and third. 

• Week - Creates a new bucket for all events that occur in a week. 

• Month -Creates a new bucket for all events that occur in a month. 

• Year - Creates a new bucket for all events that occur in a year. 

• Quarter - Creates a new bucket for all events that occur in a quarter. 


ORDER BY Query Fields 

Click Add ORDER BY columns to specify the order in which you want the data in your buckets sorted. 
For example, you might “order by” if you were interested in the numeric value of the items in your bucket 
such as the top 10 logins. 
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Drag and Drop items 
between options (e.g., to 
group by Category Outcome, 
drag it from SELECT to GROUP 
BY. It remains in SELECT but 
is also used to GROUP BY) 


Choose Columns: 

Select one or more 
data fields to 
determine the sorting 
order by, then click 
the arrow to move It 
to the Query Columns 
area. 


CW 


Inspect/Edit 


Event Inspector ^ Query Ed tor 


General Reids ] Conditions ; Local Variables ' Notes 


Query Structure 
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Count(Category Outcome) COUNT 
O Category Outcome 
Add 'SELECT columns 

GROUP BY 

<3 Category Outcome 
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Add 'GROUP BY columns 

ORDER BY 


ORDER BY 

i Helds & Global Variables Reid Sets j Load Variables 


Choose fields from: Select a Held Set ▼ 


Al Event Fields 

□ Aggregated Event Count 
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C] Bytes Out 
(~1 Concentrator Agents 
[J Concentrator Devices 

□ Correlated Event Count 
n Crypto Signature 

□ Customer 
[~1 Customer External ID 

□ Customer ID 
f~l Customer Name 
n Customer URI 
n Domain 

n Domain External ID 
(~1 DomartlD 

□ Domain Name 

□ Domain UR1 
Cl End Time 

□ Event ID 
[~~1 Event Outcome 

□ External ID 

□ Generator 
f~l Generator External ID 

A Search for: 


OK 

Caned 

Apply 



Query Columns: 

Shows columns 
selected for the 
order by. 


Search Shortcuts: 

Type part of the field name 
you want to find (e.g., Name) 
in the Search box. 

Use the up/down arrow keys 
to Jump to each Instance of 
"Name" in the available fields. 

When you find the field name 
you want, hit Return to add it 
to the selected query 
structure sections (SELECT, 
GROUP BY, or ORDER BY) 

Ctrl+F gets the Search box 
back in display If It's hidden 


Tip: Fields in shown in italics on the Data Options panel are derived, referenced, or side table 
fields (rather than “hard event data” in the main database tables). See also, ’Data Fields" on 
page 885 and "Variables" on page 1 069. 


Query Structure (ORDER BY) 

The ORDER BY columns can be different than the ones you chose for the query data under SELECT. 
Also, you can apply functions to these columns. 
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Adding and editing fields and variables to order by works similarly to adding them for SELECT. See 

"Query Structure (SELECT)" on page 310. 


Applying a Column Function to Order By 

Optionally, you can specify an aggregate function on a particular column of data to group by, such as a 
line item count, or in the case of numeric data, a sum or average. 

You apply a function to ORDER BY columns the same as you do to a SELECT column, and the same 
functions are available depending on the fields or variables chosen. See "Applying Functions to 
SELECT Columns" on page 310. 

To specify a function for column data, double-click afield or variable in the top pane under “ORDER 
BY” and select a Function (from the drop-down menu) to apply to the column data. 


ORDER BY 


COUNT j^J Q 

▼ 


ASC 

▼ 

©o 


Add 'ORDER BY' columns 


Sort Order 

Under ORDER BY you can also set the sort order on the fields/columns. By default, the sort order is 
ascending (ASC). You can change it to descending (DESC). 


Query Conditions 

Optionally, you can create conditions on individual fields or on groups as part of the query. You can add 
filters, and conditions based on assets, vulnerabilities, and active lists. Query conditions represent the 
WHERE clause of the query. 

Use the "Common Conditions Editor (CCE)" on page 864 within the query editor to create query 
conditions as described in this section. 
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Tip: The Common Conditions Editor is used throughout the ArcSight Console for various 
resources. In addition to the topics that follow on defining conditions for a report query, see also 

"Common Conditions Editor (CCE)" on page 864, "Conditional Statements" on page 879, 
"Conditions" on page 880, and "Logical Operators" on page 999. 


Creating Conditions on a Field 

For information on how to create conditional statements, see "Common Conditions Editor (CCE)" on 
page 864, "Conditional Statements" on page 879, "Conditions" on page 880, and "Logical Operators" on 
page 999. 

1 . Click the Conditions tab and select data fields from the fields below list to build a condition 
statement in the display area at the top of the Edit sub-tab. 

The data field table displays a Name, Operator, and Condition column. These three columns are 
combined to create <data field> <logic operator <data field value> condition statements. For 
example, if monitoring a Cisco Router, you could define a condition statement to specify Device 
Product = Cisco Router: Device Product as the data field, equals (=) as the logic 
operator, and Cisco Router as the data field value. 

2. In the Op column, double-click the cell and select a logic operator from the drop-down menu. 

3 . In the Condition column, type a data field value or double-click the cell and select a value from the 
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drop-down menu. Press Enter to add the condition to the statement above. 

4. Repeat this process to add more statements to the condition. 

5. Click Apply or OK to save your changes and create the condition. 


Tips on Creating Conditions 

• Drop-down menus appear if the selected data field has a set of value options. 

• For example, if the Category Behavior data field is selected, a drop-down menu appears with the 
value options of /Access, /Access/Start, Access/Stop/ and so on. One of the choices in this 
menu is /Authentication/Verify, which is the condition we selected for Category Behavior in our 
example condition. 

• For date and time data fields, such as Detect Time, you can type an actual date value, such as 
10/12/2002 8:54:00 AM, or you can use special Time variables. 

• The condition statement appears as a branch under the logical operator. 

• To add a condition to an event field, click in its condition box and click the ellipses icon. 

• To activate all operands on the top, select an item in the editor view, as shown above. 


Creating Group Conditions 

Creating a group condition is similar to creating a normal condition, except you pick an aggregate 
function to perform on the group. 

You would use it if, for example, to group by event name and when you want to get only the events with 
more than 100 occurrences in the query. In this case, you would add a CountQ aggregate function to 
the eventID field, for example, count(eventld) > 100 to eliminate the events that have occurred less 
than 100 times. 


Query Variables 

Variables are run-time information derived from the source data (event, asset, case, notification, or 
trend, depending on the schema) that can be used in the query wherever normal fields can be used. 

Tip: You can create local variables which are available only to the resource you are creating (in 
this case, a query), or use global variables. The following steps describe how to set a local 
variable. For information on creating global variables, see "Global Variables" on page 555. 
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To set a local variable: 

1. Click the Variables tab. 

2. Click Add to launch the Variables dialog. 

3. The Variables dialog displays different values depending on the function you choose. In the 
Variables dialog, enter the following values and click OK. 


Options 

Description 

Name 

Enter a name for the variable. This is the alias that appears in the Conditions editor 
when you can use the variable. Spaces and special characters are OK. 

Function 

From the drop-down menu, select a function. For a description of each function, 
click Help in the lower right corner. 

Arguments 

The arguments section contains a series of fields where you set the parameters 
for the variable. The available fields vary with the function you select. 

Preview 

The preview area provides an interface where you can enter values for the key 
variable fields so you can verify that the parameters you specified return the 
expected results. 


Enter test values and click Calculate. 


Editing a Query 

1. Navigate to Reports in the Navigator panel, select the Queries tab, and select the query you want 
to modify. 

2. Double-click the query, or right-click and select Edit Query from the context menu. This launches 
the Query Editor in the Inspect/Edit panel, and shows the definition for the selected query. 

3 . Edit the query definition as needed. See "Defining Query Settings" on page 303 for details on 
query attriutes. 


Caution: If you are editing a trend query 

If the query is used in a trend, the query and associated schema referenced in the trend are 
set at the time the trend was created. After the trend is created, you can add columns to the 
base query, but columns added to the query after the trend is created are not used by the 
trend. You can remove columns from the base query that are not used by the trend. 

However, if you want a trend to have the added or removed columns in the trend query, create 
another trend and select the modified query. 
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4. Optional: To add information in the Notes tab, refer to "Using Notes" on page 57. 

5 . Click Apply or OK to save your changes. (Click Cancel to exit the Query editor without saving 
changes.) 


Example: Creating Asset-Related Conditions for 
Queries on Lists 

This example applies to queries on active and session lists. A list is typically populated automatically 
by one or more rule actions (see "Rule Actions Reference" on page 520). You can then query those lists 
to create reports. 

For queries on lists, the Assets button on the query’s Condition tab is disabled. This therefore limits 
your ability to add an asset-related condition by means of a button. You can, however, use the 
Common Conditions Editor to create your query condition statements in queries on lists containing 
assets. 

This example uses a query on a list that contains assets. The goal of this example is to use a list to 
collect asset information, and you would regularly query that list for this information. Specifically, you 
are looking for assets that belong to a specific category. 

Model your network: 

Assets are part of your network model. For complete information, see "Modeling the Network" on 
page 98. 

Create your list: 

Create a field-based active or session list containing assets fields. Details are in "List Authoring" on 
page 469. 

Create your query: 

This query is interested in looking at the list and getting assets that belong to a particular asset 
category. Details for setting general query attributes are in "Defining Query Settings" on page 303. 

Add your query conditions: 

For our purposes, we want to look for assets that belong to a category. 

1 . On the Conditions tab’s Common Conditions Editor, locate the asset field of interest, for example, 
Asset ID. Use the InGroup operator for the field. 

2. Click the ellipsis in the Condition column to display the Advanced Editor for the asset field. 

The Advanced Editor provides the following options for the asset field: 
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Asset Options Action 

Asset 

Expand the asset group nodes and select an asset group. 

Zone 

Expand zone nodes and select a zone. 

AssetCategory 

Expand the asset category nodes and select an asset category. 


Note: The Asset options listed above are not available to all fields. 


3. Specify your asset attribute of interest and browse to the desired resource URI to complete your 
condition statement. 

For example: 


^ Query Editor : New Query 



_ast Modified Time 


Search for: 


Expand the nodes 
as required and 
select the desired 
resource. 


b-\D Asset Categories 
0--I& Shared 

El i |Q All Asset Categories 

EB-© ArcSight Solutions 

ArcSight System Administration 
Site Asset Categories 

B i . . System Asset Categories 
i B-tS Criticality 

Ef Low 
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sB Unassigned 


To provide an asset- 
related value for your 
query condition, click the 
Common Conditions 
Editor's Advanced Editor 
button. Choose an asset 
attribute (AssetCategory 
in this example), then 
browse to the specific 
resource. 


| OK | | Cancel j | Clear | 


In our example, we choose AssetCategory. We are interested in the Criticality category that is 
equal to High. A list of asset category groups is displayed, from which you can further expand to 
select the category you want. The query’s condition statement is then updated according to your 
selections, for example: 
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The query returns Asset IDs belonging to the asset category specified in the condition statement. 
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Chapter 1 3: Query Viewers 

This topic describes how to define and use query viewers to get high-level summaries about trends, 
events, other resources, and system health along with drill-down capability in a dynamic viewer. 


What are Query Viewers? 

Query viewers are a type of resource for defining and running SQL queries on other resources, 
including trends, assets, cases, connectors, events, and so forth. Each query viewer contains a SQL 
query along with other logic for establishing and comparing baseline results, analyzing historical data to 
find patterns in network activity, and performing drill-down investigation on a particular aspect of the 
results. The query viewer you create displays all the fields specified in the query you select (or create) 
for the query viewer. 


To navigate to Query Viewers: 

In the Navigator panel, select Query Viewers resource from the drop-down menu. 


Navigator 


d 1 ? x 

Resources 

Packages | Use Cases 

^1 Query Viewers 

Ctrl+Alt+Q ▼ 


S-IO 


admin's Query Viewers 


1 HgJ Case Audit Events- J 

S B Shared 

E )■■&& All Query Viewers 

©•■Q ArcSight Administration 
!+• IQ ArcSight Foundation 
+• Q ArcSight Solutions 
+ Q Downloads 
+• Personal 
+ IQ Public 


R Unassigned 


You can use query viewers to run the same SQL queries used for reports, and get results quickly. Then, 
if desired, you can generate a simple report directly from the query viewer results. Full-featured 
reporting (with queries, trends, and templates) is still offered for more robust reporting requirements 
(see "Building Reports" on page 371), but query viewers provide a shortcut to running those same SQL 
queries apart from reporting. (See also Viewing and Using Channels" on page 211.) 

Query viewers provide high-level summaries to monitor system health, reveal trends, and allow for drill- 
down investigation of all types of resources. Query viewers can work with trend tables rather than 
event tables, and so can return results much faster than "Active Channels" on page 785. 

The SQL-based summary views and trend analysis in query viewers use aggregation to provide a 
higher-level perspective than data gleaned from exclusively event-focused active channels and 
snapshot, limited-range data monitors. 
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Query viewers offer a way to run queries outside of a full reporting paradigm (where queries and trends 
are always tied to a particular report). They offer a quick way to run SQL queries on the data sources 
available to report queries. 

Also, you can generate simple reports directly from query viewer results. 
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As an option, you can 
add query viewer 
results to dashboards 
and reports. 


Query Viewers leverage an existing report query to run SQL queries on data sources, such as trends, 
active lists, session lists, assets, cases, events, and notifications. Each query viewer contains a base 
SQL query along with other logic for establishing and comparing baseline results, analyzing historical 
data to find trends, and performing drill-down investigation on a particular aspect of the result. The 
results are displayed in interactive charts and tables, which can be added to dashboards and published 
as reports. 


Query viewers provide: 

• A quick way to run SQL queries and trends apart from full-scale reporting. If you want to run 
a pre-built SQL query and view results quickly, or build and test several iterations of a custom 
query, query viewers are an easy way to do it. (You can also generate a simple report directly from a 
query viewer.) 

• High-level summaries. For example, using the aggregation provided by queries and trends allows 
summaries of “interesting things” over the last month, day, or hour. 

• Non-event-based summaries. Queries can be used to analyze resources other than events (such 
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as assets and cases). 

• Event-based summaries. Queries can be used to analyze events, and eventually lead to active 
channels (with drill-down investigation). 

• Baselines. Analysts can apply a baseline to the information resulting from a particular run of a 
query viewer. A baseline acts as a reference point against which to compare results of other runs of 
the same query and highlights the deltas (differences) to help identify areas that vary significantly 
from normal. 

• Drilldown. Query viewers can provide drilldown investigation into the same or another query viewer 
for good performance on the next level of results as well. Ultimately, the drilldown can lead to an 
event channel, where the performance costs are the trade-off for the power of event-based analysis 
in an active channel. The query viewer author defines the appropriate drilldown paths and levels. 

• Performance. Query viewers can use trend tables which are typically much smaller than event 
tables, and can be pre-built with summary views in mind. So, in most cases query viewers can 
return and display results faster than "Active Channels" on page 785. 

• History. When based on trends, query viewer result data can be kept for as long as desired and be 
independent of the event archival process. 

• Flexibility. ArcSight provides both pre-built query viewers and a resource editor for adding custom 
query viewers to suit the needs and environment of your organization. 

• Presentation Options. Query viewer results can be displayed as tables (with baselines, if desired), 
pie charts, and barcharts, and added to "Dashboards" on page 884 for quick display and monitoring. 


Pre-Built and Custom Query Viewers 

The Manager to which your Console is connected has pre-built query viewers available for use. At a 
minimum, you have access to standard content query viewers that ship with ArcSight. You might also 
have access to custom query viewers provided by content developers for your organization. 


Standard Content 

ArcSight comes with a set of pre-built query viewers that address common network monitoring and 
trend analysis scenarios. To access the standard content query viewers, in the Navigator panel select 

Query Viewers, then click to expand the list to Query Viewers/Shared/All Query Viewers. 

Refer to the ArcSight Administration and ArcSight System Standard Content Guide for the descriptions 
of the pre-built queries. 

For information on how to run and use any pre-built query viewer, see Running Queries and Viewing 
Results" on page 348, "Generating Reports from Query Viewers" on page 362, and "Defining and Using 
Baselines" on page 335. 
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Custom Query Viewers 

When administrators or content developers at your organization create custom query viewers, they 
have the option of sharing these with other administrators and users. So, depending on your role and 
user permissions, you might have access to: 

• Query viewers that ship with ArcSight 

• Custom-built query viewers that other administrators have shared with other ESM users 

• Your own custom-built query viewers 

For information on how to create your own custom query viewers, see "Creating or Editing a Query 
Viewer" below. 


Customizing Query Viewers as Needed 

You can modify the provided query viewers as needed to get the data you want. Customizing an 
existing query viewer can range from hiding or showing data fields, changing the sort order inherited 
from the base query, to adding variables and modifying key fields. These kinds of changes do not affect 
the base query, only the query viewer. 

Once a query viewer is defined to reference a particular base query, that query viewer cannot be 
changed. If you want to reference a different base query, you need to create a new query viewer. Which 
brings us to an important point. Where do you get the base queries you need? See 'Base Queries for 
Query Viewers" on page 846 to find out. 

inActiveList Conditions for Queries 

In a query, you can define an inActiveList condition and map multi-valued attributes to single-valued 
active list fields. For example, you have an active list that keeps track of actor roles, where one of the 
role values can be Normal, Restricted, and Privileged. You can test if an actor has one of these roles 
through the inActiveList condition. In this scenario, your list has a field called RoleName. You map 
the actor's role name attribute to this field. Keep in mind that an actor's RoleName attribute is multi- 
valued because an actor can have multiple roles. Through the inActiveList condition, your query will 
check if one of the actor's roles is, for example, Privileged. 

Querying an active list of assets require extra steps, as explained in "Example: Creating Asset-Related 
Conditions for Queries on Lists" on page 320. 


Creating or Editing a Query Viewer 

Query viewers provide a shortcut alternative to running SQL queries as a part of reporting. Keep in mind 
that query viewers use base queries, so a first step in creating a query viewer is deciding what SQL 
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query you want to use. If you can’t find one that does what you want, you’ll need to create one first, 
then use it as the base query for a new query viewer. 

Caution: Do not exceed more than 10,000 resources in a group. 

The high-level steps for creating or editing a query viewer are as follows: 

1 . Identify your questions and what information you are looking for. (For example, “What types of 
actions represent the highest volume of events on my network during various times of day?”) 

2. Based on the question you want answered, decide what kind of query you need and determine 
whether it is available or you have to create it. 

If you do not find a suitable query when you browse the choices under Reports/Queries (or on the 
Query Viewer “Query” field “Select a Query” drop-down menu), you can create one. To get started 
creating a new query, navigate to Reports, and click the Queries tab. For more information see 

"Building Queries" on page 301 . 

When you know which query you want to use and have either found a pre-built one or created a 
new one, you are ready to create a query viewer that uses that query. 

3. Select Query Viewers in the Navigator. 

4. Right-click a group (folder) and select New Query Viewer. 

Note: As a general rule, create new content in your own user's own folder. 

To edit a query viewer, right-click and choose Edit Query Viewer. 

5. In the edit panel, define general attributes for the query viewer as described in "Query Viewer 
Attributes" on the next page. At a minimum, fill in the required values (red asterisks) on the 
Attributes tab (query viewer name and “base query” to use). 

Note: After the base query is selected and the query viewer is saved, you cannot change the 
base query. If you want to use a different base query, create another query viewer for it. 

6. Choose the Fields to display for the query viewer as described in "Query Viewer Fields" on 
page 331 . (Fields are inherited from those available in the base query.) 

7. Define Variables for use in the query viewer as described in "Query Viewer Variables" on 
page 334 (optional). 

8. Specify any Drilldowns you want to include with the query viewer as described in "Managing 
Drilldowns from Query Viewers" on page 342 (optional). 

9. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

10. Click Apply or OK to create the new query. 
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Note: Be sure to click Apply or OK frequently to save settings periodically as you work 
through the above steps. Clicking Apply saves settings and leaves the Editor open. Clicking 
OK saves settings and closes the Editor for this query. If you do not apply or accept settings 
using these buttons, your settings are not saved. 


Tip: To edit a query viewer for which results are currently displayed in the Viewer, click the Edit 
Query Viewer button S on the lower right of the Viewer. 

The results display for the query viewer you want to edit must have focus (that is, be on top) in the 
Viewer. 


Defining Query Viewer Settings 

Use the Query Viewer Editor to build a new query viewer or edit an existing one. Query viewer settings 
are defined on multiple sub-tabs. 

Tip: You can access the editors for multiple query viewers simultaneously. 

• To access the editor for a query viewer, follow the first steps in either "Creating or Editing a 
Query Viewer" on page 326.) 

. If you want to edit more than one query viewer at a time, choose Edit > Preferences from the 
Console menu, then click Global Options. On the Global Options panel, check Allow 
multiple editors of the same type, then click OK to save the change and close the 
Preferences dialog. For more on setting Console preferences, see "Changing Global Options" 
on page 79. 


Query Viewer Attributes 


The following fields in the Query Viewer section are attributes to specify when creating a new query 
viewer. 

Query Viewer Attributes 


Query Fields 

Description 

Name 

Required: Enter a name for the query viewer. Spaces and special characters are 
allowed. 
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Query Viewer Attributes, continued 


Query Fields 

Description 

Query 

Required: For first-time query viewer configuration, specify the base query used 
in this query viewer. 

1 . Click this field to get a drop-down menu showing all available queries on this 
Manager. You can choose from queries created for reports, for other query 
viewers, ora new query you created specifically for this query viewer. 

If you want to create a new query, you need to do this first before creating 
the query viewer. (See also 'Building Queries" on page 301 .) 

2. From the drop-down menu, select the query you want to use. 

Note: If you are editing an existing query viewer, the Query field is not editable. If 
you want to use a different base query, create another query viewer. 

Refresh Data 

After 

Set an amount of time (in minutes or hours) after which the query viewer 
automatically runs again and shows new data based on that most recent run. The 
query viewer is regularly refreshed based on the specified refresh time period. 

The default for this setting is after every 15 minutes. 

To change this default: 

1 . Click the field to activate the settings. 

2. In the left-hand field, enter a numeral, and in the right-hand drop-down menu, 
select minutes or hours. 

Query Time Out 

Define a time out limit in which the query must return results. If the query does 
not complete and sends no results within the specified time out period, the 
Manager stops running the query. 

By default, the time-out is 300 seconds (5 minutes). If you do not specify a Query 
Time Out in the Attributes tab, this time-out of 5 minutes applies (even if the 

Query Time Out field shows “None”). 

Setting a time out limit is good practice especially if the event rate (events per 
second or EPS) is unusually high, start/end time range is large, or the query is 
complex. Time outs can help guard against infinite or long running queries that 
impact system performance. Although this is less of an issue with query viewers 
since they are designed to minimize impact on system performance, this can still 
be an issue in some scenarios. 

Setting time outs can be a useful troubleshooting technique for new queries, or 
existing queries in new scenarios, for example where event counts spike higher. 
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Query Viewer Attributes, continued 


Query Fields 

Description 

Default View 

The Default View attribute determines how the result data are displayed when 
you double-click the query viewer to open the results in the Viewer panel . 

Define the default (double-click) view format for this query viewer. The choices 
are to show data as: 

. Table (this is the default) 

. Pie chart 

. Barchart 

Double-clicking a query viewer in the Navigator displays result data in the format 
set here. 

If you choose Pie Chart or Bar Chart as the default view format, choose fields to 
use for the Values Column (to plot the y axis points on a bar chart or slice sizes 
on a pie chart) and Points Labels column (to plot the x axis labels on a bar chart 
or slice labels on a pie chart). The Values Column and Points Labels are also 
described in "Running Queries and Viewing Results" on page 348. 

Values Column 

The Values field applies to bar charts and pie charts. This setting provides fields 
in the query result that contain data types. The value chosen is used as the 
numbers by which to plot the vertical y axis points on a barchart or the slice sizes 
on a pie chart. 

Values typically represent an unknown set of values, like a count. A common 
example of numeric data appropriate for values is a time like HourOfDay ora 
count like Count(Event ID). 

Point Labels 

Column 

The Point Labels field applies to bar charts and pie charts. This setting provides 
fields in the query result that contain non-numeric data types. The point labels are 
used to plot the horizontal x axis labels on a barchart or the slice labels on a pie 
chart. 

Examples of non-numeric data types appropriate for point labels are timestamps, 
strings such as are used for event names, and different types of addresses such 
as IP or MAC addresses. Point labels are typically a known set of limited values 
(like hours in a day denoted by timestamps). 


Setting the following attributes (Start Time, End Time, or Row Limit) in the Query Viewer overrides 
these settings in the base query. (See "Query" about defining the base query in the Query attribute.) 
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Query Viewer Attributes, continued 


Query Fields 

Description 

Start Time 

Specifies the starting point for the data gathering. 

A drop-down menu provides values to select based on "Velocity Templates" on 
page 1093 (such as $Now, $Now - Id, and soon). You can also provide a 
timestamp such as: 27 Dul 2015 16:00:00 PDT. 

For more on timestamps and timestamp variables, see "Timestamps" on 
page 1063, "Timestamp Variables" on page 1065, and "Variables" on page 1069. 

End Time 

Specifies an end point for the data gathering. 

A drop-down menu provides values to select based on "Velocity Templates" on 
page 1093 (such as $Now, $Now - Id, and so on). You can also provide a 
timestamp such as: 28 Dul 2015 16:00:00 PDT. 

For more on timestamps and velocity references, see Timestamps" on 
page 1063, "Timestamp Variables" on page 1065, and "Variables" on page 1069. 

Row Limit 

Set the row limit for the data table. 

The default for all new base queries is the maximum allowable, which is 10,000 

rows. 

If the default is not changed in the base query, and no limit is specified here in the 
query viewer, the result shows up 10,000 rows of data. 


Entering data in the Common and Assign sections is optional, depending on how your environment is 
configured. For information about the Common and Assign attributes sections, as well as the read-only 
attribute fields in Parent Groups and Creation Information, see ' Common Resource Attribute Fields" 
on page 685. 

Query Viewer Fields 

To define the data display, click the query viewer Fields tab. 


HP ESM (6.9.1c) 


Page 331 of 1106 


ArcSight Console User's Guide 
Chapter 13: Query Viewers 



The data fields shown on this tab are inherited from the base query. When a query viewer is first 
created, the data fields are shown here with the same settings they inherited from the base query for 
Use and Key fields. So, initially all fields are enabled for Use and fields that are grouped by columns in 
the base query show as Key fields here. 

You have the option of overriding the base query settings for Use and Key settings on inherited data 
fields in the query viewer. (Settings here do not affect the base query.) You can override these settings 
when you first create the query viewer, or when you edit it later. 

Select (check) Use for fields to display in the query viewer results. Fields not selected to Use do not 
show up in the query results. 

Optionally, you can select one or more fields to use as Key fields. Key fields are columns that can be 
used to uniquely identify a role in the query. Only the fields selected as keys are used when doing 
baseline comparisons. 


Data Fields 


Name 

Alias Use 


TimeStamp 

TimeStamp ✓ 

Name 

Name ✓ 

0 

Count(Event ID) 

Count(Event ID) [✓ 

□ 

HE 


The query viewer displays results from these columns, showing them from left to right in the order 
specified. The above settings would result in a query viewer that shows Timestamp as the left-most 
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column, followed by Name, and so forth. You can re-order the columns by selecting a row and clicking 
the up or down arrow to move it. 


Sort Options 

The query viewer inherits the sort options from the base query, but you can override those sort options 
here, without affecting the base query. 


You can add data fields from the base query to sort the query results in the query viewer display. 


Click Add ( 


£> Add... 


) to get the list of available fields and select those you want to sort on. 


Column 

Sort Order 

TimeStamp 

Z-A t 

Count(Event ID) 

A-Z i 





In the example above, the Timestamp is sorted from newest to oldest. Data with the newest 
Timestamp is at the top of the list. Data with the oldest Timestamp is at the bottom of the list. (This is 
indicated by the Z-A sort order and up arrow.) In a case where multiple rows have the same Timestamp, 
these are sorted by the Count(Event ID) from smallest to largest (as indicated by the A-Z sort order and 
down arrow). 

You can change the priority of a column by selecting a column and clicking the up or down arrow to 
move it. 

Note: It is possible to sort on fields that you choose not to display in the query result. 

Suppose you decide to hide the timestamp and count (event ID) columns. In the query viewer Sort 
Options, you can still sort by Count (Event ID) and Timestamp. 

The list of event names and results for this query viewer display in this multi-column sort order by 
timestamp and count (event ID), but those columns do not show up in the display. 


Baselines 

If any baselines have been set on results returned on this query viewer, those are listed in the 
Baselines area of the Fields tab. 

Baselines are created on query results tables using the right-click popup option Investigate > Add as 

baseline... after a query runs. (See "Defining and Using Baselines" on page 335.) 

When a query has one or more baselines available, you can compare the current results of a table view 
with the baseline. 

To remove baselines from the query viewer, click the Fields tab, select the baseline name, and click 
Remove ( * Remove ). Be sure to click OK or Apply on the Query Viewer Editor to save your changes. 

If you remove the baselines from the query viewer definition, they are not available on the next run of 
the query viewer. 
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Query Viewer Variables 

To add a local variable, click the Variables tab. 

• Provide a name for the local variable. 

• Choose a function from the drop-down Function menu. 

• Fill in other details as needed and click OK to add the variable to the query viewer. 



The variable you add here shows up in the following views: 

• As a field in the Fields tab in the query viewer editor definition (including the options to Use and use 
as a Key field) 

• As a column in the query viewer result (If the query viewer result is displayed in the viewer when 
you add the variable, the variable shows up immediately as a column in the result.) 

For example, you can add a Timestamp Function (such as GetHour, GetDayOfWeek, 
GetDayOfMonth, and so forth). 

Note: A query viewer local variable cannot be promoted to a global variable 

Local variables defined for data from events, actors, cases, and assets can be promoted to a 
global variable. 

Local variables defined for a query viewer cannot be promoted to a global variable. Query viewers 
operate on queries, which have their own distinct schema for each instance. A local variable 
defined for a query viewer is only applicable to that query viewer. 

For more on using variables in resources, see 'Variables" on page 1069. 
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For more information on global variables (which can be used in queries), see "Global Variables" on 
page 555. 


Deleting a Query Viewer 

1. Navigate to Query Viewers in the Navigator panel, right-click the query viewer you want to delete, 
and select Delete Query Viewer. 

A confirmation dialog is displayed. 

2. Click Delete to confirm your choice and delete the query viewer. 


Defining and Using Baselines 

You can establish a particular set of query results as a baseline snapshot against which to compare 
the results of other runs of the same query. Comparing the results of the same query run at different 
times and in different contexts highlights the deltas (differences) and helps identify areas that vary 
significantly from normal. If spikes, dips, or other anomalies appear, you can compare them against the 
baseline. 

You can define baselines and run comparisons with any query viewer that: 

• Lends itself well to a table format display 

• Includes one or more key fields by which to locate matching entries between the baseline and 

currently displayed information. 

For example, suppose you have a query that returns the top 10 event counts by name and you want to 
compare it against some baseline. A reasonable comparison would be between similarly named events 
in both sets of data. In this case, the event name would be used as the key field. 

Note: Following are important considerations on baselines. 

. Baselines are applicable only to table views of result data. Baselines do not apply to 
graphical views such as pie charts, bar charts, and so on. You always have the option to view 
query data from any query viewer as a graphical chart or a table, but the baseline data is only 
accessible from the table view of the data. 

. Baselines require one or more key fields by which to locate matches between the baseline 
and the displayed data. The key fields must be built into the query viewer to which you want to 
add a baseline. 

. Values for Key fields must be unique. When adding baselines, make sure key fields in the 
query viewer have unique values. (See the Fields tab in the query viewer editor.) Also, check 
the query viewer start and end times (on the Attributes tab in the query viewer editor) to make 
sure the timeframe over which the query runs makes sense. 
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You can add one or more baselines to a single query viewer, and delete them as needed. 


Why Baselines are Useful 

In addition to providing a way to compare result data from different query runs, baselines provide an 
efficient way to save, annotate, and retrieve data that might otherwise be too difficult to access in any 
meaningful way. 


A baseline is preserved as a File resource that is associated with the query viewer. In the Navigator, 
choose Files and expand the Attachments folder to view the new baseline files you created. 


Tip: The query viewer baseline files in the Files\Attachments folder appear along with other files 
in alphabetical order. For your convenience, in the Files resource, you may add a folder (add a 
group) to contain only your baselines. You can name it <yourname> Baselines and drag your own 
baseline files from Attachments to your own folder. The baseline files always remain in 
Attachments but a link is established from files in Attachments to the files in your own folder. 


_ In Query Viewers, you can create, save, and use baselines to compare 
result data from the same query viewer run at different times and dates. 

< ArcSight Comote d.5.0.1 1 363.0 (vbtelm dnfctopreiftntii .«t] Production Ik.mo. kind Is ArcSight IntsrMl K*J 0/3108. expire* Jul 31 . 2008. 

« * Mt|7| [* 


JaS 


GOT 



7 Net 

7 admn's Fries 

—Of & Qu8ry VI8W8T 8««*ne* 

<f l& fts*«»ne(t) for cEM3-OhYBA8CAMt>Ti; 

□ Newest Weekday 

□ Weekday 

? ® Shared 
<f gy AIFfcs 

o- Cj ArcSight System 
o- CJ Personal 

o- C 3 Pubbc 

o- D TTP37964 
o- D Attachments 
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Baselines created in Query Viewers also show i 
under the Files resource in the Navigator. For 
convenience, create a folder to contain your 
baselines. 


Baselines are automatically saved in the 
Attachments folder. For convenience, create 
another folder and drag your baselines there. 


With Query Viewer baselines, you can: 

• Retrieve the snapshot baseline data by running comparisons against it. 

• Compare current result data against one or multiple baselines. 

• Get meta-information about the baseline (such as when it was saved, by whom, and comments). 
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• Sort, show, or hide the baseline comparison columns. 

• Maintain the baseline data as a Files resource baseline even if the original data is lost or is too 
performance-intensive to re-generate (for example, an aggregation query). (All baselines are 
automatically added as Files resources when they are created.) 

• Add and remove baselines as needed, and edit some meta-information on baselines (for example, 
description comments). 

• Use filters on the baseline (delta) columns. For example, you could filter on a baseline column to 
find where the current results differ from the baseline by more than some specified value. 


Planning for Baseline Comparisons 

Query viewer baselines might prove most useful if you take a little time to identify some goals for their 
use or questions you want answered, and then plan how to implement the baselines for those 
purposes. Here are some suggestions to start off with. 

1 . Establish questions or goals for baseline comparison monitoring and identify the type of data you 
want to evaluate. 

For example, you might want to determine what type of event traffic is at its highest at different 
times of day or when network attacks tend to increase. Or, you might notice a spike in certain 
query viewer results (such as more logins from a particular user) and decide to compare the 
behavior against a sampling of results from subsequent or previous query runs. 

2. Identify the query viewer (and associated query) appropriate to use. If the query viewer you need is 
not provided, you can develop it. See "Creating or Editing a Query Viewer" on page 326 for more 
information on this. 

For example, if you want to monitor what type of event traffic is at its highest, you could establish 
a baseline for a query viewer that returns “Top Event Counts by Hour of Day.” You could also use 
a query viewer baseline to take snapshots of event counts throughout the day, either for record- 
keeping or to explore and compare later. 

3 . Monitor results for your chosen query (by running the query viewer) to identify a “typical” or 
“normal” result set to use as a baseline. 

4. Add (capture) the baseline from the typical/normal result set. 

5. Monitor subsequent results for variation (spikes, dips) or time periods against which you want to 
compare with the baseline, and run baseline comparisons on these. 


Adding a Baseline 

You can only define baselines on numeric data because they are designed to show deltas, the 
difference or change between two values. 
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To add a baseline to a query viewer: 

1. In the Navigator panel, choose the Query Viewers resource. 

2. Select and run the query viewer (containing the query) for which you want to define a baseline. 

To do this, right-click the query viewer and choose View Data As > Table. 

Note: Baselines are applicable only to table views of result data. 

The query viewer result is displayed in the Viewer. 

3. Right-click anywhere in the results table in the Viewer, and select Investigate > Add as baseline 
to get the Add a baseline dialog. 

4. Enter a name for the baseline, optional description, and click OK to add it. 

This saves the current query result data as a named baseline for the selected query viewer, and 
makes it available for use (through Investigate > Compare with... against results from other runs 
of the same query viewer). 

The baseline is shown on the query viewer's Fields tab. 

Tip: If the query viewer editor is not currently displayed, double-click the same query viewer 
in the Navigator panel to open it in the editor. Click the query viewer editor Fields tab. 


Comparing Displayed Results to a Baseline 

After you establish a baseline for a query, you can compare subsequent results for the same query 
against the baseline. 

Requirements: 

• Baseline comparisons, like baselines, can only be derived from table views of the query viewer 
results. See "Results in Table Format" on page 352. 

• The query viewer you select for baseline comparison must have at least one baseline already added 
to it. Baselines are shown on the Fields tab of the Query Viewer editor. 

To run a comparison: 

1 . If you do not already have a table view of the data you want to compare, right-click the query 
viewer you want to evaluate against a baseline, and choose View Data as > Table from the 
Navigator menu. 
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2. In the Viewer, right-click anywhere on the table view results and select Investigate > Compare 
with: <SomeBaseline>. 

The comparison data is collected and added as a new column. You have the option of hiding or 
showing it in the table as needed. 

3. Make your selections on the Select Columns table and click OK. 



Tip: By the time the Select Columns dialog is displayed, the Baseline comparison is already 
available. 


If you selected the comparison column, it is displayed on the table next to the original results for 
that column. 


|| SI Events: Table | 

Query: Events 

Last Update: 1 Aug 2008 16:40:14 PDT 

Filter: No Filter 

10 shown / 10 matches 

Name 

COUNT(Events) 

COUNT(Events) - (Typical Weekday Baseline) 

Monitor Event 

14071 

-929 

Top value count data monitor val. . . 

10209 

1209 

ICMP PING 

976 


ICMP PING *NIX 

852 

-57 

ICMP PING BSDtype 

852 

-56 

NETBIOS SMB-DS DCERPC NTLM. . . 

678 

74 

NETBIOS SMB-DS Session Setup . . . 

317 

99 

AddToList: Success 

238 

0 

ActiveList entry updated 

233 

0 

Starting Trend Query 

192 

0 


Note that differences between the current values and the baseline can be positive or negative, as 
shown in the example comparison above. A positive value in the baseline comparison indicates 
more events in your current sample, compared to the baseline. A negative value in the baseline 
comparison indicates fewer events in your current sample, compared to the baseline. If the 
baseline field for a row is null, this indicates that no baseline value was available for that key. 
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Tip: Here are more options available after comparing baselines. 

■ After running a baseline comparison, the right-click overTable Investigate > Compare 
with <Baseline> option for the baseline you just ran is grayed out (even if you chose not to 
immediately select any columns or clicked Cancel on the Select Columns dialog). This is 
because the baseline is already added. 

■ To show or hide more columns (including baseline columns), right-click the column header, 
choose Show Column, and check (enable) or un-check (disable) columns. See also 

"Show or Hide Baseline Columns" below 


Show or Hide Baseline Columns 

You can always show or hide columns, including baseline columns. To do this right-click anywhere in 
the table header (on any of the column titles), choose Show Column > <SomeField>. 



(Name 


Count(Event ID) 

Count(Event ID) - (Typical Weekday Baseline) A 

Sort Column 

Remove Sort 


6990 

6905 


5896 

5811 

Show Column ► 

Size Column to Fit 

Help 

IET TimeStamp 

IE Name 

10 Count(Event ID) 


5734 


5726 


5619 


5600 


Monitor Event 

□ Chunt(Event ID) - (Reference Baseline) 


5545 


Monitor Event 

Coont(Event ID) - (Typical Weekday Baseline) 


5375 


Monitor Event 

|54bU 


[§375 


See also "Column Sort, Display, and Edit Options" on page 355. 

Sort Baseline Data 

You can perform an after-query sort on baseline comparison data by clicking the column headers. A 
pre-query sort for baseline data is not available. That is, there is no option to add a sort as a part of the 
baseline in the query viewer definition. 


Viewer 


1 Viewer --Jp 0 ? 

1] ligl Events: Table 

Query: Events 

Last Update: 1 Aug 2008 16:40:14 PDT 

Filter: No Filter 

10 shown / 10 matches 

H 

Name 

COUNT (Events) A 

COUNT (Events) - (Typica 

il Weekday Baseline) 

Monitor Event 

14071 


Sort Column . 

?9 

56 

Top value count data monitor valu. , . 

10209 


Remove Sort ^ 
Show Column ► 

Size Column to Fit 

Help 

ICMP PING 

976 


ICMP PING BSDtype 

852 


ICMP PING *NIX 

852 


NETBIOS SMB-DS DCERPC NTLMS... 

678 


NETBIOS SMB-DS Session Setup A. . . 

317 

99 

AddToList: Success 

238 

0 

ActiveList entry updated 

233 

0 

Starting Trend Query 

192 

0 


8/1 14i40;06-8/l 16:40106 


J2L 
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See also "Column Sort, Display, and Edit Options" on page 355. 

Filter Baseline Data 


You can filter on the baseline comparison column the same way you would filter on any other column. 
Click the Filter in the query viewer header to bring up the Query Data Filter dialog. Enter your filter 
conditions and click OK. After the filter is applied, the query viewer automatically updates. 


The Query Data Filter is based on the Common Conditions Editor (CCE). For information about using 

the CCE to define filters, see "Common Conditions Editor (CCE)" on page 864. 


Name 

COUNT(Events) * COUNT(Events) - (Typical Weekday Baseline) 

Top value count data monito. . . 

10209 1209 


Viewer 


]0@ 


!g| Events: Table 


Query: Events 

Last Update: 1 Aug 2008 17:26:04 PDT 

Filter: COUNT (Events) - (Typical Weekday Baseline) > 1000 


_ After the filter is applied, 
query viewer display is 
automatically updated. 


& II != Filters 

} Assets 6 

f Edit | Summary | 



£ Query Data Filter 


In this example, we are filtering for 
baseline differences greater than 1,000. 


ArcSight Query conditions 
9 {} Entry 

# COUNT(Events) - (Typical Weekday Baseline) > 1000 



Op 


Condition 


0 


ArcSight Query 


8/1 


COUNT (Destination Address) 


an 


COUNT (Event ID) 


3 1 


COUNT (Source Address) 


3.3 


■■Jame 




Variables 


□ 3 


:OlJNT( Destination Address) - (Typical W. 


3 3 


COUNT(Events) - (Typical Weekday Basel., 


COUNTfE 1 vents) - (Typical Weekday Basel. 


COUNT(Source Address) - (Typical Week.. 


| OK 


Cancel 


Removing a Baseline 

Baselines, like the queries themselves, are associated with and contained in query viewers. To remove 
a baseline, you remove it from the list of baselines in the query viewer editor. 

Tip: Removing a baseline from a query viewer is different from hiding or showing a baseline 
column in a query result. If all you want to do is temporarily hide a baseline column in a results 
table, use the right-click “Show Column” option in the Viewer on the results table as described in 

"Column Sort, Display, and Edit Options" on page 355 in "Results in Table Format" on page 352. 
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To remove a baseline from a query viewer: 

1. In the Navigator panel, right-click the query viewer containing the baseline you want to remove and 
select Edit Query Viewer. 

This opens the editor for the query viewer in the Inspect/Edit panel. 

2. In the editor, click the Fields tab. 

3. Under Baselines, select the baseline you want to remove and click Remove ( > Rem0Ve ). 

4. Click Apply to save your changes to the query viewer, or click OK to save changes and close the 
editor. 

Note that there is no confirm dialog for this Remove baseline action, but if you do not want to save 
your changes, click Cancel and the baseline is not removed. 


Managing Drilldowns from Query Viewers 

Drilldowns provide the ability to investigate details about resources related to what is displayed by 
query viewers or data monitors. You can get more focused views on particular aspects of a single item, 
such as an asset, case, event, and so on, in the query result. 

You can configure query viewers and data monitors to drill down to one or a combination of the following 
resources: 

• Active channels 

• Dashboards 

• Query viewers 

• Reports 

Each drilldown type has its own options. After you have added one or more drilldowns, Console users 
can select one by right-clicking on the result and selecting Drilldown > [drilldown name] from the 
context menu. 


Adding a Drilldown 

The drilldowns are initially displayed in the order they were created. The first drilldown is automatically 
the default. 
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To add a drilldown from a query viewer: 

1 . Access the Drilldowns tab in one of two ways: 


■ Right-click on the query viewer or data monitor results in a dashboard and select 

Drilldowns/Edit Drilldowns to open the editor to the Drilldowns tab. 

Or 


■ Right-click on a query viewer or data monitor in the Navigator panel and select the Edit option, 
then select the Drilldowns tab. 


2 . 


Click Add (i 


4J 3 Add... - j 


to open the Add Drilldown panel. 


3. In the Destination field, choose a resource type, for example, dashboards. 

£ Add Drilldown 




* Menu Label 


Select a Dashboard ▼ |St| Dashboards ▼ 

Pick where this drilldown goes to. You can pick from a var 

|T] Active Channels 

1 

R Dashboards 

Query Viewers 

EH Reports 

Give your dridown a descriptive name. 


Then choose the corresponding specific resource, for example, My_Dashboard. 

4. Enter a menu label (defaults to the specific resource’s name). This label will represent this 
drilldown when the user right-clicks and selects Drilldowns on the Viewer panel. 

5. Enter an optional description containing useful information about the drilldown. 

6. Set the remaining options based on your destination resource: 


Options for the Drilldown's Resource Destinations 


If resource 
type is ... 

Follow these steps ... 

Active 

Channels 

For an active channel destination, the settings in the Channel Display Options 
tab are not required; you may click Finish. If you want to set display options: 

a. Select a field set from the drop-down list and click OK. 

b. Change the Sort By field from the drop-down list and the sort order. 

c. Click Finish. 

Dashboards 

Click Finish. You are done. 
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Options for the Drilldown's Resource Destinations, continued 


If resource 

type is ... Follow these steps ... 

Query For a query viewer destination, field mapping is required: 

Viewers 

a. On the Field Mapping tab, click Add to display a dropdown list of source 
fields. You must define at least one field map. 

The source fields are from the source query viewer (the one you are drilling 
down from). The mapping condition is always set to =. 

b. Under the Destination Field column, select a field from the destination 
query viewer (the one you are drilling down to). 



The Drilldown definition shown in the example maps the source query 
viewer/data monitor “Name” column to the target query viewer/data monitor 
“Name” column. This constructs the following drilldown filter: 

<target>. Name = <source>. Name 

where <source >. Name is replaced by the actual value from the source 
query viewer/data monitor row. 

If there are no eligible field mappings, you cannot complete the drilldown 
definition; the Finish button is disabled. You can add or remove field 
mappings, but your choices are limited to the columns already provided in 
the query viewer. 

c. On the Display tab, you can choose to show (check) or hide (uncheck) the 
data fields in the drilldown result. 


d. On the Sort tab, you can click Add to select the columns to specify the sort 
order of the resulting values. For each added column, change the sort order 
to ascending (the default) or descending. 

e. Click Finish. 
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Options for the Drilldown's Resource Destinations, continued 


If resource 

type is ... Follow these steps ... 


Reports 


Fora report destination, the settings in the Report Display Options tab are not 
required. To use the parameters set for the report, click Finish. If you want to 
change the drilldown’s display options: 


a. Click Add to display a list of the destination report’s custom parameters, 
then select a parameter. 

b. Under the Value column, select the field whose value will be used for the 
parameter. 



c. Click Finish. 


7. Repeat the process to add multiple drilldowns as required. 

Tips on drilldown definitions: 

• If there is only one drilldown, this is the default drilldown for that resource. If there are multiple 
drilldowns, the first drilldown is the default. You can change the order on the Drilldowns tab. 

• When you run the query viewer results or view a data monitor, right-click, and select Drilldown, the 
selection list displays the list of drilldowns defined for that resource. The default drilldown is at the 
top of the list, and the remaining drilldowns are displayed in the sequence as they appear on the 
data monitor or query viewer's Drilldowns tab. 

• You can define drilldowns for multiple fields of different data types. For example, you can define a 
drilldown to return a combination of event name and IP address. The first step would be to define a 
base query viewer to return these fields in a result, and then, as a next step, add a drilldown and 
select that query viewer to use as the “Drill down to” query viewer. 

• You cannot define drilldowns to go to fields that are SQL functions. 
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Editing a Drilldown 

To edit a drilldown: 

1 . Open the editor for the query viewer or data monitor you want to edit. 

2. Click the Drilldowns tab. 

3. Select the drilldown you want to edit and click Edit * >Edlt "'. 

The drilldown dialog for this drilldown is displayed. Change the fields and options as described in 

"Adding a Drilldown" on page 342. 


Note: You can also edit the drill down from the query viewer or data monitor results. Right- 
click and select Drilldown > Edit Drilldowns. Selecting this command opens the editorfor 
the query viewer or data monitor at the Drilldowns tab. 


Changing the Default Drilldown 

When you run the query viewer results or view a data monitor, right-click, and select Drilldown, the 
selection list displays the list of drilldowns defined for that resource. The default drilldown is at the top 
of the list, and the remaining drilldowns are displayed in the sequence as they appear on the Drilldowns 
tab. This default position is not affected by any sorting of drilldowns. 

To change the default drilldown: 

1 . Open the editor for the data monitor or query viewer you want to edit. 

2. On the Drilldowns tab under the Default column, click the button corresponding to the drilldown 
you want as the default and save. 

The default drilldown will appear at the top of the selection list the next time you right-click on the query 
viewer results or data monitor and select Drilldown. 

See also "Sorting or Changing the Order of Drilldowns" below for related information. 


Sorting or Changing the Order of Drilldowns 

If you create multiple drilldowns to different resource types, the Drilldowns tab displays the drilldowns 
in the sequence they were created. This initial sort order affects the selection list if you right-click the 
data monitor or query viewer results on the Viewer panel and select Drilldowns. 

You can re-order the drilldowns in two ways: 
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• Sorting the drilldowns 

• Moving specific drilldowns up or down the list 

To change the sort order: 

1 . Open the editor for the data monitor or query viewer you want to edit. 

2. Click the Drilldowns tab and click Sort (^) on the toolbar. 

Multiple drilldowns on the Drilldowns tab are sorted in two ways, as follows: 

■ First, the drilldowns are sorted alphabetically according to resource type: active channels, 
dashboards, query viewers, and reports. 

■ Next, within the resource type, drilldowns are again sorted alphabetically by their menu labels. 
After you click the Sort button, clicking it again will not change the sort order. 

Note: Even if the default drilldown moves after sorting on the Drilldowns tab, the default will 
still be at the top of the selection list when you right-click on the data monitor or query 
viewer results and select Drilldowns. If you want to change the default itself, follow 
instructions in "Changing the Default Drilldown" on the previous page. 

To move a drilldown’s position on the list: 

1 . Open the editor for the data monitor or query viewer you want to edit. 

2. Click the Drilldowns tab and select a drilldown. Do not click under the Default column if you are 
not changing the default drilldown. 

3. On the toolbar, click the up - or down [ Z. arrow buttons to move the drilldown up or down the 
list. 


Removing a Drilldown 

You can remove any drilldown, including the default drilldown, one at a time. If you delete the default 
and you have multiple drilldowns, the next drilldown on the list becomes the default. 

To remove a drilldown: 

1 . Open the editor for the data monitor or query viewer you want to edit. 

2. Click the Drilldowns tab. 
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3. Select the drilldown you want to remove and click Remove ( •* Remove ). 

4. Repeat as required. 


Running Queries and Viewing Results 

To run a query defined in a query viewer, do either of the following: 

• Select a query viewer and choose View Data as... > <Display Format> 

Or 

• Double-click a query viewer. 

Double-clicking provides the default view, as defined in the query viewer. For information on how to 
set the default view, see "Query" on page 329. 

The query runs, and returns results in the Viewer on the current state of the network and event flow. 

Alternatively, you can add the result of a query viewer directly to a dashboard. For information on this, 

see "Adding Query Viewers to Dashboards" on page 360. 

To run queries and view results: 

1. In the Navigator panel, choose the Query Viewers resource. 

2. Navigate the tree, and select the query viewer you want to run. 

3. Right-click the selected query viewer and select View Data as > <Display Format> and choose 
one of these options: 

Display Formats of Query Results 


Format 

Description 

BarChart 

Display query results as a barchart. 

Horizontal 

BarChart 

Display query results as a horizontal barchart. 

Pie Chart 

Display query results as a pie chart. 

Table 

Display query results in table format. 


Note: Baselines can only be applied to or viewed for query results shown in table 
format. (For more about establishing and using baselines, see "Defining and Using 
Baselines" on page 335.) 
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Note: Chart-style views (Pie and Bar charts) are limited to showing a maximum of 99 rows. 
This is a hard limit for charts to guarantee readability; it is not user-configurable. Table views, 
however, can accommodate up to 10,000 rows of data in a query result. You should therefore 
expect that results in chart views and table views for the same query viewer might not match. 


Details on how to read and manipulate query results for each of these formats are provided. 

■ If you choose a Table display format, the results are displayed instantly. 

■ If you choose a bar chart or pie chart, you are asked to configure the chart display in the 
Configure Chart dialog. 



Field Description 

Values 

The Values drop-down menu lists fields in the query result that contain data types. 
The value you choose is used as the numbers by which to plot the vertical y axis 
points on a barchart or the slice sizes on a pie chart. 

Values typically represent an unknown set of values, like a count. A common 
example of numeric data appropriate for values is a time like HourOfDay ora count 
like Count(Event ID). 

Point 

Labels 

The Point Labels drop-down menu provides fields in the query result that contain 
non-numeric data types. The point labels are used to plot the horizontal x axis labels 
on a bar chart or the slice labels on a pie chart 

Examples of non-numeric data types appropriate for point labels are timestamps, 
strings such as are used for event names, and different types of addresses such as 

IP or MAC addresses. Point labels are typically a known set of limited values (like 
hours in a day denoted by timestamps). 


4. Select fields for Values and Point Labels. 

Example view settings: 

For example, for the Event Counts by Hour of Day query viewer, selecting Count(Event ID) for 
Values (the y axis) and Hour of Day (or Timestamp) for Point Labels (the x axis) results in the 
following display showing the event count for each hour of the day. The event count is depicted on the 
vertical y axis, with higher bars representing a higher event count for that hour. The hour of day (time) is 
represented on the horizontal x axis. The event count is shown for the last 24 hours starting at 11 am. 
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^Viewer •' ent Counts by Hour of Day: Bar Chart 

Query: Event Counts Trend Query 

24 shown / 24 matches 

Last Update: 25 Jul 2008 12:06:19 PDT 


1 Filter: No Filter 



HourOfDay Count(Event ID) 
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Understanding the results view: 

The results are displayed in the Viewer. The following example shows the “Event Counts By Hour of 
Day” query result as table, bar chart, pie chart. 
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To run a query viewer, right-click one and choose 
View Data as > <Display Format>. 


•yamyatot 

rf y « 

Reioxcei 

k* <>*»V «*■"*»* 


9 ^ Query VtoMrt 


y /> »»yi'i Query Viewer t 



Depending on the display format you select, the query viewer 
" results Is shown as a bar chart, pie chart or table. 

(Right click query results in the viewer to generate a report.) 



Query Viewer result for 
View Data as > Table 


Query Viewer result for 
View Data as > Bar Chart 


Query Viewer result for 

' View Data as > Pie Chart 


9 7*01 

OZ Cvert Coinri by of 0*, 

<- n 

► R} Qf O E<* Query Mewer 
13 <P* Ck«M* Query 

<>-i3 wn 


9 » 


Notice that the time range for the base query is shown on the lower left of the query viewer results. 
Hover the cursor over the time range to see an annotated view of start and end times (data 
collection start time and data last received). This time range comes from the base query. 
(Another way to see the query time range is to open the query viewer in the editor and double-click 
*Query in the Attributes display to drill down to the base query editor, which shows query start and end 
times.) 

Following is the Time Range of Base Query: 


11224471600000 

11224471600000 

11224471600000 

11224471600000 


1301 


Time range specified in base query shows 
on lower left of query viewer results 


- ■ 1 


Data collection start time: 10/19 14:02:34 
Data last received: 10/20 15:02:34 



HP ESM (6.9.1c) 


Page 351 of 1106 



ArcSight Console User's Guide 
Chapter 13: Query Viewers 


Working with Query Viewer Results 

Various options are available to you with the different query result display formats (Bar Chart, 
Horizontal BarChart, Pie Chart, orTable). 

Viewing query results in table format give you the ability to establish baselines and make comparisons, 
as well as manipulate the table data. 

Note: Query viewers and channels display results from variable calculations differently. For 
example, a value may be displayed as -0.1 in a query viewer, and -0.099999999999... in a channel. 

Such variations are due to differences in the way floating point operations are carried out. 

Barcharts and pie charts provide at-a-glance, graphical overviews of the results but with fewer options 
for manipulating the data after the fact. 

Other options, such as filtering a query viewer results or running reports, are available on all result 
views. 

Details of working with each view format are provided in the following topics. 

Results in Table Format 


To get results in Table format, right-click a query viewer and choose View Data as > Table. You can 
sort, re-order, and create/compare baselines for data in a table view. 


Left-click a table column header to sort or reverse- 
sort it. This affects the entire table. 


Right-click a table column header to get a list of 
’ sort and edit options for the column. 


?5 loo Evfrtt Co»x<* by How cf Orr TaW* 


Query: Top Event Cotrtt Trend 
lost Update: 16 Apr 2006 14:57:49 PI 


The arrow next to a column header indicates the 
column Is determining the current sort order for the 
table and shows the current sort order. (For example, 
this column is sorted showing highest count first.) 
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You can add a baseline to a table view of query result data, then run - 
baseline comparisons to Identify deltas In network behavior. 

Only table views of query result data can be baselined and compared. 


Investigate View Options 

The following right-click Investigate options are available on query viewer results in table format 
(obtained by choosing View Data as > Table): 
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• Baselines. Right-click anywhere on the table of results in the Viewer to add a baseline or compare 
the current results to an existing baseline. 

• Drilldowns. Right-click a row in the table result to launch a given drilldown on that row item (if 
drilldowns are provided in the query viewer). 

• Channels. Right-click a cell in the table result to create an active channel with a filter based on the 
value of the selected table cell. 

• Conditions. Right-click a cell in the table result to add a filter condition based on the value of the 
cell. 


Note: 

The Investigate option is not available if your base query is not on events; for example, if the 
query is on a session list. 


If a query viewer includes drill-downs, these are 
shown as Investigate options (e.g., this one has 
drill-downs to source and destination addresses). 

Right-click a table in the Viewer over a table result Drill-downs are "row-specific". Right-click a row in a 

f- to get Investigate options. (By default, add table view to get drill-down options for that row. 

baselines and view available baselines here.) 



Right-click a cell (event Name, in this example) in the 
Viewer to get Investigate options to: 

- create a channel for selected field 

- add a condition (filter) to selected field 


Investigate Options for Results are shown in the following table. 
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Investigate Options on Query Viewer Results 


Option 

Description 

Add as 

baseline 

Add the current results as a baseline for the query viewer. 

Right-click anywhere on the table result in the Viewer to add a baseline to the query 
viewer or compare the current results to an existing baseline. 

(See "Defining and Using Baselines" on page 335 and "Adding a Baseline" on 
page 337.) 

Compare 

with: 

<Baseline> 

Compare the current results with the selected baseline. 

Right-click anywhere on the table result in the Viewer to compare the current results to 
an existing baseline. 

This menu option is available if there is one or more baselines established for the query 
viewer. All baselines associated with the query viewer are available from this menu for 
comparison. 

(See "Comparing Displayed Results to a Baseline" on page 338.) 

Drilldowns 

See "Managing Drilldowns from Query Viewers" on page 342 and "Drilldown Example" 
on page 367. 

Query viewers enable you to drill down to Active Channels, dashboards, query 
viewers, and reports. If the query includes an event ID or resource ID, you can also drill 
down to that resource. See "Viewing an Event or Resource Directly from the Query 
Viewer" on page 360 for details. 

If there are drilldowns associated with the query viewer, these are listed after the 
baseline options on the right-click Investigate menu for a selected row in the query 
viewer result. 

Right-click a row in the table result, and choose Investigate > <Drilldown Option>. 

For example, an Events query viewer could provide drilldowns to view all source 
addresses fora selected event. Assuming each row in the result table represents an 
event, choosing this drilldown from the Investigate menu would lead to a table showing 
source addresses for the selected event. 

Create 

Channel 

Creates an active channel with a filter based on the selected cell in the table result. 

For example, right-clicking a table cell with an event name and choosing Investigate > 
Create Channel [EventName ] creates an active channel that monitors and filters for 
occurrences of that event name. The filter is always set to the value of the cell (which 
in this example would be the event name). 

For more information about using active channels, see "Viewing and Using Channels" 
on page 21 1 . 
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Investigate Options on Query Viewer Results, continued 


Option 

Description 

Add 

Brings up the Conditions Editor for the selected item, where you can add or modify 

Condition 

conditions (filters) on the selected item. 


Right-click a cell in the query viewer table result to add a filter condition based on the 
value of the cell. 


For more information on working with Conditions, see Common Conditions Editor 
(CCE)" on page 864. 


Column Sort, Display, and Edit Options 

Right-click a column header in a query viewer table result to get various options on that column. 
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Column Header Options 


Option Description 

Sort 

Column 

Sort items in the column in ascending or descending order. 

Columns that have been sorted after the query viewer run show an up or down arrow next 
to them to indicate the direction of the sort. 

You can also sort the column by left-clicking the column header. Clicking multiple times 
toggles the sort between: 

. ascending order (indicated by a up arrow next to the header) 

. descending order (indicated by a down arrow next to the header) 

Notes: 

. Sorting on the contents of a column after a query viewer displays its results changes 
the view of the data provided by the original query. A query sorts during a query run, 
and then displays the data based on the sorting it did. If you click columns to re-sort, 
you are changing the sort order the query gave you. In the cases where the original 
query used a “single-column” sort, you can “get back” to it in the viewer, but you can’t 
get back to a multi-column sort because this is offered only in the query sort options, 
not on the Console Ul. 

• Keep in mind that this option sorts on the data result returned by the query. This in 
combination with query row limits (applied when the query is run) can sometimes yield 
unexpected results. Example: If the query is defined to run on 2 days’ worth of data 
but hits the 10,000 row limit after processing only 1 day of data, then only 1 day’s 
worth of data is returned in the result. An “after-query” sort, in this example, is a sort on 
only 1 day’s worth of data. 

• Sorting at the query viewer level sorts only the data returned by the query to Viewer. 
Initial sorting is done by the base query, which is responsible for running against the 
database. If the query level sort is yielding unexpected results, keep in mind that the 
original base query sort determines how much you can modify the view of the result. 

See also 'Sort Baseline Data" on page 340. 

Remove 

Sort 

Remove a sort on the selected column. You can remove sorting imposed when the query 
viewer was run or when a Ul column-click sort was done on the displayed result. 


HP ESM (6.9.1c) 


Page 356 of 1 1 06 


ArcSight Console User's Guide 
Chapter 13: Query Viewers 


Column Header Options, continued 


Option Description 


Show Right-click anywhere on any column header in a table to get a context menu of columns 
Column included in the display result. 

Select columns to hide or show in the result. Columns with no checkmark beside them 
are hidden. 


This is the equivalent of hiding or showing a column before the query viewer runs. 
(However, only columns configured to be included in the original query are available to 
hide/show after the query is run.) 

To show a column in the results view that is currently hidden (whether before or after the 
query ran), right-click again and choose it (checkmark it). 


See also "Show or Hide Baseline Columns" on page 340. 

Size to Expand the column, if needed, to accommodate the full width for text in each row of the 
Fit selected column. 


Drag- 

and- 

Drop 

options 


Left-click-and-drag on a column header to reposition it in a different horizontal order in the 
table. For example, if the original query viewer result shows columns in this order: 


TimeStamp * Name 

Count(Event ID) 

12 May 2008 18:00... Monitor Event 

5460 

12 May 2008 18:00... |Top value count data monitor value current 

807 

12 May 2008 18:00. . . NETBIOS SMB-DS DCERPC NTLMSSP asnl . . . 

661 

12 May 2008 18:00. . . NETBIOS SMB-DS Session Setup AndX req. . . 

658 

12 May 2008 18:00. .. |Task successfully scheduled 

40 


You can click-and-drag Timestamp to the right so that the columns display in this order: 


Name 

TimeStamp * 

Count(Event ID) 

Monitor Event 

12 May 2008 18:00... 

5460 

Top value count data monitor value current 

12 May 2008 18:00... 

807 

NETBIOS SMB-DS DCERPC NTLMSSP asnl . . . 

12 May 2008 18:00... 

661 

NETBIOS SMB-DS Session Setup AndX req. . . 

12 May 2008 18:00... 

658 

Task successfully scheduled 

12 May 2008 18:00... 

40 


Results in Chart Formats 

To get results in Chart format, right-click a query viewer and choose either: 

• View Data as > Bar Chart or Horizontal Bar Chart 

• View Data as > Pie Chart. 
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Right-click an Item In a chart view to get 
Investigate options for that item (e.g., event) 
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Hde Senes (Device Connection Do. . ort, Snort] 
Report... 


Create Channel (Same - Device Con. . .Snort] 

Create Channel (Same I- Device Con. . .Snort] 

Add Condition (Same - Device Con... Snort] to Editor 


1st 

I S': Refresh 

lunassignedResources<S. ..] inserted 
lunassignedResourcesC. . . ] nserted 
IwEB-IIS view source . . .ate header 
IwEft-MSSC WebOAV search access 


Oa<M ConKm! 



Investigate menu includes options to: 

- create a channel for selected item 

— add a condition (filter) to selected item 


Chart Options 


Option 

Description 

Drilldowns 

Query viewers can provide drilldowns to "Active Channels" on page 785. If the query 
includes an event ID or resource ID, you can also drill down to that resource. See 

"Viewing an Event or Resource Directly from the Query Viewer" on page 360 for 
details. 


If there are drilldowns associated with the query viewer, select an item in the first or 
key column, then right-click to get drilldown options in the Investigate menu. 


For example, an Events query viewer could provide drill-downs to view all source 
addresses for a selected event. Choosing this drilldown from the Investigate menu 
on a query result would lead to a table showing source addresses for the selected 
event. 


See "Managing Drilldowns from Query Viewers" on page 342 and "Drilldown 

Example" on page 367. 

Create 

Channel 

Creates a channel on the selected item. (For example, right-clicking an event and 
choosing Investigate > Create Channel [EventName] creates an active channel 
that monitors and filters for occurrences of that event. 


For more information about using active channels, see "Viewing and Using 

Channels" on page 21 1 . 

Add 

Condition 

Brings up the Conditions Editor for the selected item, where you can add or modify 
conditions (filters) on the selected item. 


For more information on working with Conditions, see Common Conditions Editor 
(CCE)" on page 864. 
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Filtering Query Viewer Results 

You can filter query viewer results shown in table and chart formats. 


To filter query viewer results: 

1. Click “Filter: No Filter” in the header of a query result view. (You can also right-click the filter name 
and choose Edit Filter from the context menu.) 

The Common Conditions Editor (CCE) dialog opens. 


2. Use the CCE dialog to add a filter. (For details on how to use the CCE dialog to create filters, see 
the topic on the "Common Conditions Editor (CCE)" on page 864.) 


Query: Top Event Counts Trend Query 

Last Update: 11 Jun 2008 17:55:40 PDT 

Filter: Name Contains "Attack" 

23 shown / 425 matches 

Timestamp 

1 1 Jun 2008 1 

Query Data Filter 

11 Jun 2008 1 

11 Jun 2008 1 

11 Jun 2008 1 

& || 1= Iner abilities Active Lists 

1 Edit \ Summary | 

1 1 Jun 2008 1 

11 Jun 2008 1 

11 Jun 2008 1 

11 Jun 2008 1 

1 1 Jun 2008 1 

11 Jun 2008 1 

1 1 Jun 2008 1 

11 Jun 2008 1 

1 1 Jun 2008 1 

11 Jun 2008 1 

11 Jun 2008 1 

11 Jun 2008 1 

11 Jun 2008 1 

11 Jun 2008 1 

$ ArcSight Query conditions 

? {} Entry 

# Name Contains Attack 

11 Jun 2008 1 

A,*v. 

11 Jun 2008 1 

11 Jun 2008 1 

| OK | | Cancel | 

11 Jun 2008 1 

);uu;uu rvi iHU-acn. rtai.es uy i aryeicu iui ic i 

JU II 

1 1 Jun 2008 1 1 : 00:00 PDT |Attack Rates by Attacker Zone | 

29 


3. Click OK to save the filter, and filter the current result view. 


Note: Filters on query viewer results are locally saved and available only while the current 
result set is displayed. These filters are not saved as a part of the query viewer. When you 
close the query viewer result, the filter is no longer available; recreate it on a new result set 


Tip: You can also apply filters to baseline delta columns. See 'Defining and Using Baselines" 
on page 335. 
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To remove a filter: 

To remove a filter from a displayed query viewer result, right-click the filter name in the header of the 
result view and select Remove Filter from the context menu. 


Viewing an Event or Resource Directly from the 
Query Viewer 

If your query viewer is for events or resources and the query viewer results include an event ID or 
resource ID field, you can go directly to a specific event or resource from the query viewer. 

Right-click the event or resource and select View > [Event Name] Details or View [Resource Name] 
Details. For example, drill down to 

• An event if the query includes the event ID field 

• An actor if the query includes the actor ID field 

• An asset if the query includes the asset ID field 

• A case if the query includes the case ID field 


Troubleshooting Query Viewers 

If queries timeout, especially if your environment monitors high event rates (in the thousands per 
second), try reducing the number of rows to the range of 1 00 to 1 000 and see if there is an 
improvement. If that does not improve execution time, refer to the ESM Administrator’s Guide’s 
Troubleshooting . Look for the topic, Query and Trend Performance Tuning. 


Adding Query Viewers to Dashboards 

You can add a query viewer result to a dashboard as follows: 

1 . If you have identified an existing dashboard to which you want to add the query viewer, open the 
dashboard in the viewer and make sure it is the focus. If you want to add the query viewer to a new 
dashboard, continue to the next step. 

2. Choose Query Viewers in the Navigator. 

3. Select a query viewer, right-click and choose Add to Dashboard As >, then choose an 
applicable display format (see "Adding Query Viewers to Dashboards" above). 

The query viewer result is displayed on the open dashboard. If a dashboard is not displayed, a new 
untitled dashboard is created for the query viewer result. 


HP ESM (6.9.1c) 


Page 360 of 1106 


ArcSight Console User's Guide 
Chapter 13: Query Viewers 


4. Save the existing dashboard. 

Or if this is a new dashboard: 

a. Right-click the title bar of the dashboard and choose Save Dashboard As. 

b. In the popup dialog, navigate to the group where you want to save the dashboard, enter a name 
for the dashboard, and click OK. 

By default, this new dashboard is a regular dashboard. If you want to change it to a custom 
view dashboard, see "Using Custom View Dashboards" on page 264. 

You can add multiple query viewer results sets along with other resources to a single dashboard. 

For more information about working with dashboards, see "Using Dashboards" on page 238. 


Adding Query Viewers as Startup Views 


To set up Query Viewers as the startup view for a group: 

1 . Select Users in the Navigator. 

2. Right-click a group and choose Edit Groups from the context menu. 

3. In the editorforthe selected group, click Startup Views tab, then click Query Viewers subtab. 

4. Click Add (. 


Add... * 


) to bring up the Query Viewer Selector. 


5. In the Query Viewer Selector dialog, navigate to and select (checkmark) the query viewer you 
want as the startup query viewer forthis group and click OK. 

The full path to the query viewer you selected is shown on the Query Viewers tab in Startup 
Views. 

6. Click Apply to save your changes and leave the group editor open, or click OK to save and close 
the group editor. 


For more information on editing groups and startup views, see Managing User Groups" on page 180 
and "To set Console startup views:" on page 182. 

Tip: Regardless of startup view settings for groups, if Query Viewers are showing when you quit 
the Console, these are reloaded when you restart the Console. 
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Generating Reports from Query Viewers 

After you run a query viewer, you can generate a simple report containing the results. Reports initiated 
from query viewers are provided for convenience as a quick way to share the result data. Query viewer 
reports are limited to displaying data from the single query covered by the query viewer and retain the 
format of the chart or table in which the query viewer results are displayed. For information on creating 
and publishing richer, highly formatted reports on multiple data sources see "Building Reports" on 
page 371 and "Running and Managing Reports" on page 448. 

Tip: On row limits 

The report display format is based on the display chosen for the query viewer result. For example, 
if you chose to view query data as a pie chart, the generated report shows the same pie chart view. 
Togenerate a report showing results for the same query as a bar chart or table, you must then re- 
run the query viewer (<Query Viewer> > View Data as) in one of those formats, and then generate 
the report from that view. 

The report contents might not include as much data as the query viewer result shown in the 
Console for these reasons: 

. Reports on pie charts and bar charts have a default row limit of 25 up to 99 rows as the 
maximum. This is user-configurable. You can set a higher or lower row limit on the Report 
Parameters dialog you get when you run the report. (See the procedure below.) 

. Reports on tables can accommodate up to 10,000 rows. 


To generate a report on a query viewer: 

1 . Right-click the query viewer results table or chart (anywhere in the Viewer panel) and click 

Report. 
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Viewer 

ri 1 ? x 

!§| Event Counts by Hour of Day: PieChart 

Query: Event Counts Trend Query 

24 shown / 24 matches 

Last Update: 4 Jun 2008 13:39:03 PDT 
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Filter: No Filter 
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Hide Series [10] 


Report.. 


© Refresh 




Help 



6/3 12 : 39:03 - 6/4 13 : 39;03 


B - 


2. Specify the options on the Report Parameters dialog or take the defaults and click OK. For more 
help on setting report parameters, see "Running a New or Archived Report" on page 449. 


Tip: If you click Save Output on the Report Parameters dialog, you get additional options for 
setting the archived report under the Save Output Parameters section. 


3. When the report is ready, a dialog gives you the option of opening it to view it now or saving it to a 
location you specify through a file browser. 

Choose Open to view the report or Save to save it in a specified location. 


Example Queries for Common Scenarios 

Query viewers can be used to monitor daily network traffic and get high level summaries of typical 
activity. Query viewers can also be used to drill down on anomalies or other interesting events. 

Following is a brief, conceptual scenario of how an analyst might use query viewers to monitor and 
investigate certain types of activity. 
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Also included here is a description of how the query content developer might build and configure 
the base query and query viewers that the analyst uses. 

Tip: In practice, ArcSight ships with pre-built queries and query viewers as standard content. It is 
likely that the types of resources described here are provided with ArcSight. 

Even so, the configuration of the base query and query viewers is described to illustrate and 
support this example, and show how a content developer might fine tune these resources to gather 
the information needed. 


Basic Analysis High Level Summaries 

A security analyst wants to check if anything unusual is happening on their system. The analyst brings 
up a query viewer called “Events” that shows all events by event name for the last 2 hours. The 
columns include: 

• Event name 

• Total count of all events 

• Count by unique source address 

• Count by unique destination address 

Analyst’s First View of Events 

The analyst can easily glance at the data and see if anything looks out of the ordinary. Columns can be 
sorted and filters can be changed to refine the details. The data should come up almost immediately. 


HP ESM (6.9.1c) 


Page 364 of 1106 



ArcSight Console User's Guide 
Chapter 13: Query Viewers 


Viewer ri 1 ? * 


| Live ~| Events: Table 


Query: Events 

Last Update: 13 Jun 2012 10:08:20 PDT 

Filter: No Filter 


114 shown / 1 1 4 matches 
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Name * 

COUNT(Events) 
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COUNT(Destina... 
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How the Events Query Viewer is Built 

The Events query viewer described in this example leverages the Events query. 


Attributes 

Bringing up the query viewer editor for the Events query viewer shows that the Events query is used 
as the base query. Bringing up the Events query (base query) in the query editor shows that the base 
query searches on events for the last 2 hours. (Queries are under Reports > Queries in the Navigator.) 

The Events query viewer uses the Events query as its base query. v 
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Fields 

The fields selection, order by, and group by logic are all defined in the Fields tab for the base query. The 
Events query viewer inherits the fields from the base query. These show up on the query viewer Fields 
tab. 


• The Events query viewer Inherits fields from the Events base query. 
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Events Base Query Conditions Tab 

The condition logic to search on Events is defined in the Conditions tab for the base query. 
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Note: If the event value in your query is the @ symbol by itself, enclose it in double quotes. For 
example: 

Name Contains “@” 

You are not required to use the double quotes if the @ symbol is used with other text, for example, 

Name Contains @mycompany. 


Drilldown Example 

Continuing from the example in "Basic Analysis High Level Summaries" on page 364, the security 
analyst notes that one of the counts seems troublesome. For example, “Attack from Suspicious 
Source” is high and showing a lot of unique destination addresses. The analyst would right-click this 
row and choose Show Source Addresses. 

The resulting query viewer would show, for this event and time range, the source addresses, as well as 
other columns of interest (for example, destination address). Then by sorting by source address, the 
analyst could decide if a single source address (probably with the highest count) was the initiator of 
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most of the attacks. This information could also be provided from an appropriate back end trend table 
(the same one or a different one), and, as a result, the display should come up almost immediately. 



The analyst could also show destination addresses for the same event row, if that drilldown is defined 
as a part of the query viewer. 
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How the Console Builds Drilldowns 


The source and destination drilldowns are added to the Events query viewer on the Drilldowns tab at 
content development time. 

Here is the Drilldowns > Field Mapping tab for the Events query viewer example. The drilldown requires 
that at least one field is mapped. In this example, this is the Name field. 


Field Mapping Display ] Sort 



* - X 



Source Field 

Condition 

Destination Field 

Name 

| = 

|Name 





Here is the Drilldowns > Display tab for the Events query viewer example. 


Field Mapping Display 
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✓ 
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Non-Event Analysis Example 

A security analyst wants to examine “Asset Counts by Vulnerability.” The analyst selects this viewer 
and gets the most recent result (from a trend run) and can examine a table containing columns: 
Vulnerability and Asset Count. Right-clicking a particular vulnerability row would allow drilldown into 
the assets with that vulnerability. 

Baseline Analysis for Data Comparison 

The security analyst notes that one of the counts seems significantly higher than last recalled. The 
analyst right-clicks the query viewer and selects “Compare with Baseline”, from which there are zero or 
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more baselines to choose. 

This makes additional columns available to the currently displayed viewer that can be added by the 
user. For example, a new column could be added next to the current “Count” column showing “Count - 
<Selected Baseline>”. This is a comparison number showing the difference between the current value 
of the count and the baseline value for the count. This is positive, negative, or empty (if a baseline 
doesn't exist for this vulnerability). The analyst can right-click the new column to sort this column in 
ascending or descending order. 

Other options available to the analyst would be: 

• Add as Baseline... to save the current values in the display as the new named baseline. 

• Compare with... to compare to any other set of data available in the trend table. 

History Analysis Example 

As hinted in this example, any previous trend runs can be used for baseline comparison. Similarly, the 
analyst can change the query viewer to go back into the past to look at previous data. The analyst could 
use the default baseline and go back in history to see when some count began to significantly differ 
from the baseline. 
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These topics describe how you use ArcSight to monitor enterprise security. 


Understanding the Reporting Workflow 371 

Using Report Templates 375 

Creating Reports 379 

End-to-End Reporting Examples 412 


Reports are captured views or summaries of data that can be viewed in the ArcSight Console or 
exported for sharing in a variety of file formats. Reporting is an essential tool for communicating the 
state of your enterprise security to internal and external stakeholders. 

Reporting is a broad subject in ArcSight. Because it can use all the scheduling, conditional logic, 
resource- and rules-based filtering capabilities of the system, the possibilities can take some time to 
explore. Creating a report is a multi-step process that can involve steps using several different 
resources. 

See also "Running and Managing Reports" on page 448 and " Archiving and Scheduling Reports" on 
page 460. 

For other options for filtering the database, see "Query Viewers" on page 323, "Viewing and Using 
Channels" on page 21 1 , and "Viewing and Using Channels" on page 21 1 under "Viewing and Using 
Channels" on page 211. 


Understanding the Reporting Workflow 

Building reports is a multi-step process that involves use of a few different data gathering and reporting 
tools. ArcSight can gather report data using standard queries or trends. 

Tip: Reports can be relatively simple (you can create a report with the Report Wizard based on the 
results of a single query) or complex (you can create a report based on the results of layers of 
queries and trends that feed data results up the chain as the basis for new queries). See "End-to- 
End Reporting Examples" on page 412 for examples of both basic and complex reports. 

Following is a quick overview of the reporting workflow tasks and tools, along with a reminder about 
dependencies among reporting resources. 

For a more in-depth description of how these elements build on each other to create various views of 
the data, see also "Query-Trend Relationships in Reporting" on page 428. 
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Step 1 - Build a Query 

A query is an ArcSight resource that defines the parameters of data to gather from an ArcSight data 
source. The results of the query then become the basis for one or more ArcSight reports or trends. As a 
data source, queries can use the database of events, assets, cases, notifications, active lists, session 
lists, or data gathered from a trend. 

Queries are described in "Building Queries" on page 301 . 

Note: If all you want to do is build a report based on a single query, at this point you can skip to 
step 4 and select a template. (See "Step 4 -Select or Design a Report Template" on the next 
page.) 


Tip: Queries built for reports can also be used in query viewers. 

Query viewers provide several advantages. If you want to run quick SQL queries for monitoring 
and analysis outside of the reporting resource, you can use query viewers. You can add query 
viewers to dashboards and generate simple reports on query viewer results. 

For information on query viewers, see "Query Viewers" on page 323. 
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Step 2 - Build a Trend Based on a Query 

A trend is an ArcSight resource that defines how and over what time period data is evaluated for trends. 
A trend is always based on a query, and this query is called the base query for the trend. The trend 
results are stored in a trend table in the database, and these trend tables can be queried. Queries on 
trend tables are called trend queries. Trends can also be used as the primary data source for a report. 

Trends are described in "Building Trends" on page 427. 

Note: If you want a report based on a single trend, at this point you can skip to step 4 and select a 
template. (See "Step 4 - Select or Design a Report Template" below.) 


Step 3 - Build a Query Based on a Trend 

At this point, you have the option of using a simple query or trend in a report, or you can further refine 
query results by using a trend in another query (a trend query). 

See the "Building Queries" on page 301 and "Building Trends" on page 427 for more information on how 
to do this. 


Data Gathering: Query Building 



Query source data 

• Specify the data you want to work 
with 

■ Narrow the results by setting 
conditions and vanables 


Data Gathering: Trend Defining 



Is data a trend? 

• Design interval trend to operate on 
events 

• Design snapshot trend to operate on 
assets, network model, cases, and 
notifications 


Step 4 - Select or Design a Report Template 

Use an existing report template layout or create your own using the new Report Designer tool. For 
information on working with templates, see "Using Report Templates" on page 375. 


Layout Designing 



Design report template 

• Using a stock template? 

• Design your own: chart, table, 
combination 
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Step 5 - Create a Report 

A report is an ArcSight resource that binds data from a query or trend to an existing report template. 
Once run, the results of a report can be viewed in the ArcSight Console’s Viewer panel, saved 
(archived), and/or exported in a variety of formats. Reports can be scheduled to run at regular intervals, 
and also can be run on demand as needed. 

Reports are described in "Creating Reports" on page 379, and an overview of the whole topic is 
provided in "Understanding the Reporting Workflow" on page 371 . 

Focused reports enable you to run the same report definition on different subdivisions of the data 
without having to copy and modify the master report every time. For example, you can run an individual 
Top 10 Infected Systems report for each of your business divisions. 

The job scheduler enables you to schedule reports and focused reports to run automatically at specific 
time intervals. (The job scheduler is also used as a part of building trends which, by nature, involve 
scheduling.) 
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Note: Queries and trends are intended to capture data. Reports are used to display the data from 
queries and trends. For example, if you wanted to run monthly or quarterly reports on VPN login 
statistics, you would first create one or more queries to capture the data, then create trends (based 
on the queries) to define a schedule for running the queries and storing the results, and finally 
create and run reports on the trends. For a full walk-through of this process, see "End-to-End 
Reporting Examples" on page 412. 


Step 6 - Run a Report 

ArcSight ships with a set of ready-made reports available under the Reports resource. (For example, on 
the Navigator panel under the Reports resource look in /Reports/Shared/All Reports/ArcSight 
Solutions/. Open the sub-groups (folders) to see provided reports.) 

For information on how to run an existing report, see "Running and Managing Reports" on page 448 and 
Running a New or Archived Report. 
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Step 7 - Archive and Maintain Reports 

After running a report, you have the option to save (archive) the report results. This enables you to 
retrieve a particular report for immediate viewing without having to regenerate the report. Reports that 
are run on demand are saved on the Archives tab just like scheduled reports. If the Save Output option 
is chosen for an on-demand report, the archived report has an expiration date of 6 months from the time 
it was run (by default). If the Save Output option is not chosen for an on-demand report, the report is 
maintained in the archive for one day only. 

Archived reports can also be sent to a notification group after the scheduled report is run. 

For information on how to archive and maintain reports, see Archiving and Scheduling Reports" on 
page 460. 


Report Sharing and Maintenance 

Share and maintain report output 

• Save report output to share with 
others using archived reports 
■ Create and maintain trend partitions 


Managing Dependencies for Reports Resources 

Queries, trends, and reports generally have multiple dependencies upon each other. Modifying some 
elements within one resource can affect another. If modifications to a resource impact another to the 
extent that the dependent resource is rendered unusable, errors are reflected in the ArcSight Console. 
ArcSight manages and updates most of these resources and dependencies automatically, but not all. 

For example, a trend built on a query relies on a set of fields (columns) contained in the base query. If 
you modify fields in the base query that are used in the trend, the trend is disabled. Similarly removing a 
resource (like a query) that another resource (like a report) depends on generates error messages on the 
ArcSight Console. 

Caution: Instead of modifying the trend's base query, the proper approach is to create a different 
query, then create a new trend using that query. 


Using Report Templates 

Template definitions determine how query and trend data are displayed in a report. You can edit 
ArcSight-provided report templates or create your own templates using the Template Designer Wizard. 

A template consists of report design elements, such as headers, footers, title bars, charts, and tables, 
arranged on a page according to a layout specification. Templates can accommodate input from 
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multiple queries and show multiple visual elements, such as three charts and a table each pulling from 
a different data source, in a single report. 

Use the designer wizard to create and adjust templates to specify which data is displayed, what visual 
elements are used (variations on tables, charts, graphs, and soon), the layout of those elements, the 
report output file format, and much more. 

To navigate to the report templates: 

In the Navigator panel, select Reports resource from the drop-down menu and click the Templates 
tab. 

Report templates are a component of ArcSight Reporting resource tools. 

Related topics: 

• "Applying a Template to an Existing Report" below 

• "Creating a New Report Based on a Template" on the next page 

• "Copying a Template" on page 378 

• "Editing a Template" on page 378 

• "Building Reports" on page 371 


Applying a Template to an Existing Report 

1 . With the Reports resource selected in the Navigator panel, click the Reports tab. 

2. If Reports groups (folders) are collapsed, click + to expand user and Shared folders, and choose 
the desired report. 

3. Double-click the report to which you want to apply a template. Alternatively, you can select the 
report, right-click and select Edit Report from the context menu. 

This brings up the Report editor in the Inspect/Edit panel. 

4. In the Report editor, click the Template tab for the selected report. 

5. In the Report Template field drop-down menu, select a template. 

6. Click OK to apply the template and close the file browser. 
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7. Click Apply or OK to verify and save the template choice for the selected report. 


Inspect/Edit 


Event Inspector Report: VPN Logins Outcome Tren... 
Attributes Template Data \ Parameters \ Jobs • Notes \ 


Report Template: 


Three Charts Description Landscape 


Text Components 

B Header 


B Header 

Text 

Horizontal 
Vertical Ali 
Font 
Foregroun 
Backgroun 


B Footer 


B i ootei 

Text 

Horizontal 
Vertical Ali 
Font 


H LJ All Report Templates 

B B ArcSight Foundation 
+ B ArcSight Solutions 
- r'J ArcSight System 
B B 1 Chart 
lil B 2 Charts 
[=} B 3 Charts 
B B With Table 
B- B Without Table 

* m 

B B 4 Charts 
+ B Table 
+ B Packages 
+} B Personal 
+ E i Public 
B B Unassigned 


Three Charts Description Landscape 


- 

JH 


Serif , Plain, 10 



Preview.. 


Creating a New Report Based on a Template 

1. With the Reports resource selected in the Navigator panel, click the Template tab. 

2. Right-click your user folder (group) and select New Report from Template. This launches the 
Reports Editor in the Inspect/Edit panel with the chosen template. 

3. See "Creating Reports" on page 379 for details on how to define data for your report and fine-tune 
the template by means of the Template tab in the Report editor for this report. 
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Copying a Template 

An easy way to start customizing a template is to copy an existing template and modify it to suit your 
needs. 

To copy a template: 

1 . Select the Reports resource in the Navigator. 

2. Click the Template tab. 

3. Open the All Report Templates folder, navigate to a template you want to copy, and select it. 

4. Left-click, and drag and drop the selected template into your user folder. 

5. Select Copy from the Drag & Drop Options dialog. A copy of the template is dropped into your 
user folder. 

Alternatively, you can select the template you want to copy in the Navigator and choose Edit > Copy 
from the menus. Then select your user folder and click paste to drop the template into the folder. 


Editing a Template 

1 . Select the Reports resource in the Navigator. 

2. Click the Template tab. 

3. Right-click a template and choose Launch Designer, or choose Edit Template and click the 
Open in Designer button on the Attributes tab for the template editor. 


Note: To create a custom template 

The Report Designer is powered by InetSoft, which also provides the Report Designer’s online 
help. Refer to the Report Designer's online help for procedures on how to customize your own 
template. 

. There are additional InetSoft documents available online for the report designer. They are 
attached to a Knowledge Centered Support (KCS) article entitled “InetSoft’s Online Help 
Guides,” available from the HP SSO support site. 

. For support, contact HP Customer Support. Do not use the InetSoft support information 
mentioned in their documentation. 
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Creating Reports 

Reports are captured views or summaries of data that can be viewed in the ArcSight Console or 
exported for sharing in a variety of file formats. You can create reports by pulling together the result sets 
from one or more queries or trends. 

For information on how to run an existing report, see "Running and Managing Reports" on page 448. 

Creating Reports is a component of ArcSight Reporting resource tools. See also "Building Reports" on 
page 371 for an overview of all reporting tasks and tools, including how to build queries or trends and 
how to use a provided template. 


How Reports Work 

When you have source data defined in queries or trends, you can design reports to present the data in 
charts and tables. You can use one of the templates provided with ArcSight or design your own 
template using the Template Designer. This topic explains how to create a report that binds result data 
from queries and trends to a template. For information on accessing report templates, see "Using 
Report Templates" on page 375. 

The reports resource defines how query data is bound to a report template. Depending on the report 
template you use, the reports editor exposes different parameters, variables, and conditions that enable 
you to choose which elements of the query data you want to show in the report. You can also apply 
additional functions to run on the data, and set numerous formatting options. 


Report Building 



Bind the query data to the report 
template 

• Refine or customize the query by 
choosing specific elements of the data 

• Add functions 

• Format, organize, and re-order results 

• Format fonts, text color, and 
background color 


Creating or Editing a Report 

Caution: Do not exceed more than 10,000 resources in a group. 

Where: Navigator > Resources > Reports > Reports tab 

The high-level steps for creating a report are as follows: 
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1. To create a report, right-click a reports group and choose New Report. 

Note: As a general rule, create content in the user's own folder. 

To edit a report, right-click the report and choose Edit Report. 

2 . In the edit panel, define report attributes such as report name (required), an optional alias, and 
other details. See "Report Attributes" on the next page. 

Entering data in the Common and Assign sections is optional, depending on how your environment 
is configured. For information about the Common and Assign attributes sections, as well as the 
read-only attribute fields in Parent Groups and Creation Information, see Common Resource 
Attribute Fields" on page 685. 

3 . Select the report template you want to use. Defaults are provided. See Defining Report Settings" 
on the next page. 

4. Choose report data (required) by: 

a. Associating one of these existing data sources: a query, a trend, a session list, or an active list. 
You choose from the displayed resource selector. 

b. Specifying what parts of the query data source you want to use for each report element. 
Optionally, apply legends and top/bottom functions. 

See Binding Data to the Report" on page 385. 

Note: Unlike report templates and parameters which provide defaults, you cannot save the 
report without specifying the data source. 

5. Specify report parameters concerning output details, such as file format, paper size, and routing 
instructions. You can set limits on the query return, such as row limits, time zone restraints, apply 
filters, and specify report start and end times. See "Setting Default and Custom Report 
Parameters" on page 402. 

6. Optional: To add information in the Notes tab, refer to "Using Notes" on page 57. 

7. Click Apply or OK to save settings and create the new report. 

Note: Be sure to click Apply or OK frequently to save settings intermittently as you work 
through the above steps. Clicking Apply saves settings and leaves the Editor open. Clicking 
OK saves settings and closes the Editor for this query. If you do not apply or accept settings 
using these buttons, your settings are not saved. 

8. Run the report to test it as described in Running a New or Archived Report. See Running and 
Managing Reports" on page 448. 


HP ESM (6.9.1c) 


Page 380 of 1106 



ArcSight Console User's Guide 
Chapter 14: Building Reports 


The following sections provide details on how to use the Report editor to define report attributes, apply 
a template, choose report data, and specify report parameters. 


Defining Report Settings 

Report settings include general attributes, template selection, and data specification. 

Report Attributes 

The Report Attributes tab is where you define a report name, set alias report name and notification 
options, and view tracking details such as when the report was created and last updated. 


The following field is required on the Report Editor’s Attributes tab. 


Report 

Field 

Description 

Name 

Default name for the report. Spaces and special characters are allowed. 

Note: You can change the report name by editing the report and changing the name on the 
Attributes tab. You can also set the report name on the Jobs tab where you define the 
report’s archiving schedule (see " Archiving and Scheduling Reports" on page 460), or 
change the name at report runtime (see Running a Defined Report" on page 449). 


Tip: Entering data in the Common and Assign sections is optional, depending on how your 
environment is configured. For information about the Common and Assign attributes sections, as 
well as the read-only attribute fields in Parent Groups and Creation Information, see Common 
Resource Attribute Fields" on page 685. 
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The following example shows the completed Report Attributes tab for a report: 



Report Templates 

The Template tab is where you specify the template for the report. You can specify fonts, colors, page 
headers and footers, and the chart and table combinations and layout you want to use. 

Report Template Selection 

To populate the editor, select a template from the Report Template drop-down menu. ArcSight comes 
with six stock templates in the System templates folder, or you can navigate to your own template. 

The following example shows the system template Three Charts Landscape. 
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Report Template: 

Choose a template. 
(ArcSight-provided or 
custom template) 


Text Components: 

Specify Header, 
Footer, Title, Subtitle, 
and so on; and text 
formatting options for 
the report. 


Preview area: 

Shows the layout of 
the Report Template 
you chose. 


Text Attributes 

The Text Attributes section provide fields to specify values for each set of text attributes. 

Report Template Text Components 
Attribute Description 

Header 
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Report Template Text Components, continued 


Attribute 

Description 

Text 

Enter the text you want to use as the header of your the pages in your report, such as 
the name of your department, or the series of reports to which it belongs. 

Note: You can use Velocity template references for fields that accept text, as 
described in "Velocity References for Reports" on page 1097. 

Horizontal 

Alignment 

From the drop-down menu, select where you want the header to appear in the header 
area: left, right or center. 

Vertical 

Alignment 

From the drop-down menu, select where you want the header to appear in the header 
area: top, center, or bottom. 

Font 

From the drop-down dialog, select a font from the list of fonts available on your local 
system, font size, and style (bold, italic). The preview window indicates how the font 
will look. 

Foreground 

Color 

From the drop-down dialog, select a foreground color. This is the color of the lettering. 

Background 

Color 

From the drop-down dialog, select a background color. This color fills the header box. 


Footer: Footer, Disclaimer 


Text 

Enter the text you want to use as the footer of your the pages in your report, such as 
the name of your company, a confidentiality statement, or the date. You can use the 
variables provided (such as $currrentpagenumberand Stotalpagenumber for page 
numbers). These are evaluated when you run the report to populate report output with 
appropriate numbering. 

Note: You can use Velocity template references for fields that accept text, as 
described in "Velocity References for Reports" on page 1097. 

Enter text for Footer: Disclaimer as required by your company. 

Horizontal 

Alignment 

From the drop-down menu, select where you want the footer to appear in the footer 
area: left, right or center. 

Vertical 

Alignment 

From the drop-down menu, select where you want the footer to appear in the footer 
area: top, center, or bottom. 

Font 

From the drop-down dialog, select a font from the list of fonts available on your local 
system, font size, and style (bold, italic). The preview window indicates how the font 
will look. 

Foreground 

Color 

From the drop-down dialog, select a foreground color. This is the color of the lettering. 

Background 

Color 

From the drop-down dialog, select a background color. This color fills the footer box. 
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Report Template Text Components, continued 


Attribute 

Description 

Text: Title, Subtitle, [other] 

Text 

Enter the text you want to use as the title of your report, such Top 10 Attacks per 

Zone. 

Horizontal 

Alignment 

From the drop-down menu, select where you want the title to appear in the title area: 
left, right or center. 

Vertical 

Alignment 

From the drop-down menu, select where you want the title to appear in the title area: 
top, center, or bottom. 

Font 

From the drop-down dialog, select a font from the list of fonts available on your local 
system, font size, and style (bold, italic). The preview window indicates how the font 
will look. 

Foreground 

Color 

From the drop-down dialog, select a foreground color. This is the color of the lettering. 

Background 

Color 

From the drop-down dialog, select a background color. This color fills the title box. 


Preview 

The Preview section shows the layout of the report, and does not show the formatting updates as you 
go along. If you have designed other text boxes for your template, the attributes for those text boxes are 
displayed here using the same format as those shown above. 


Binding Data to the Report 

After the template is chosen and formatted, you are ready to populate the elements of the report with 
data. 
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To Template tab 



Binding Data to Charts 

The Data tab is where you choose which parts of the query or filter result data you want to use for each 
report element, apply legends and, optionally, top/bottom functions. 

Use these options to select the data source (query or trend), chart and table type to use for the report, 
columns to include, and details on how the chart presents data. 


Chart 

Data 

Description 

Data 

Source 

From the drop-down menu, select an existing data source you want to use for the chart in 
your report. 

The data source drop-down menu provides a list of existing resources based on the 
resource type you selected in the accompanying drop-down. You can report on queries, 
trends, active lists, or session lists. 

When the data source is selected, the remaining elements of the Data tab populate with the 
data available in the selected resource. 

Chart 

Type 

From the drop-down menu, select the type of chart you want to use for the chart part of the 
report. Depending on the template you use, you may have are several types of bar charts 
available as well as line charts, pie charts, speedometer, and so forth. The data source and 
chart type you choose apply to both the X- and Y- axes. 

2 sets 

of data 

(z- 

axis) 

Check this box if you want to plot the same type of data in a series fashion, for example, 
hourly EPS rates for connectors and different connectors comprise the series. 

Note: If you check this box, the Data tab adds a subtab for the Z-axis. 
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Selecting Data for the X-Axis on a Chart 


Report : VPN Outc ome Login Tret 


Attributes T< 


G3Chart3 jgch art2 E3 Chart 1 


Data Parameters Jobs Notes 


VPN Logins Outcome - Hourly ^ | | Trends 


Chart Type: Lnechar 


Data (X-Axis) value (Y-A os) 


Available Co jmns: 


Time 

Category Outcome 


J5 Prev,ew “ 


▼ 02 sets of data (Z-axis) 


Display Options 


Selected Columns 




Hour \A-ZJ 




Label Rotation: 

0 degrees 


Help 


Data Source: Choose an 
existing resource on which to run the 
report. (Available sources will depend 
on which resource type is selected.) 
Data selected here apply to both X 
and Y axes. 


Resource Type: Choose the 
resource type. You can report 
on queries, trends, active lists, 
or session lists. 


Chart Type: Choose a chart 
type: Bar, line, pie, and so on. 


X, Y Axis Tabs: Indicates which 
aspect of Data details you are 
working on. Optionally, you can 
aggregate on one of the columns 
for this report. 


X-Axis Details: Choose and order 
the data you want to use on the X 
axis. Optionally, create and position a 
label for the data. 


If the report template you selected contains a Chart, bind your result data to the chart as described in 
the following table. 


Binding Results to a Chart 


X-Axis 

Data 

Attribute 

Description 

Available 

Columns 

Select the data fields from the query you want to show in the X-axis and use the right- 
hand arrow to move it to the Selected Columns area. The data you select here should be 
the items you want to count 

For example, to build a trend report showing number of events overtime, use a trend that 
captures the number of events per day. Add the end time to the X-axis to represent the 
day and add the count gathered for that day to the Y-axis. In this case, the X-axis is the 
data label, and the Y-axis is the count. 

Selected 

Columns 

The Selected Columns area shows which data fields you have selected for the X-axis, 
and provides the opportunity to change the sort order of the data. 
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Binding Results to a Chart, continued 


X-Axis 

Data 

Attribute 

Description 

Sort 

Sort the selected column in ascending or descending order. 


To change the sort order, select the column then click the Sort check box. Select A-Z to 
sort data in ascending order; select Z-A to sort data in descending order. 


Note: If you are also plotting aZ-axis (data series) and your output is a barchart, make 
sure to set your sorting on the X-axis. 

X-Axis 

Title 

Specify a title for the X-axis. 

Label 

Rotation 

Select a rotation angle for the by entering a digit between 0 and 90. 

Labels refer to the individual X-axis data points, which are automatically derived from the 
data. The Label Rotation controls the angle of these labels. 


Selecting Data for the Y-Axis on a Chart 



■o 


-o 


Y-Axis Details: Choose and order 
the data you want to use on the Y 
axis. Optionally, create and position a 
label for the data. 


Summary Function: 

Optionally, you can enter a 
Summary Function on one of 
the columns and aggregate on 
that data for the report. 


Y-axis data should be numeric. If the data you select is a non-numeric data type, such as a string, apply 
a numeric summary function to it, such as Count or Count distinct. 
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Y-Axis Attributes for Charts 


Y-Axis 

Data 

Attribute 

Description 

Available 

Columns 

Select the data fields from the query you want to show in the Y-axis and use the right- 
hand arrow to move it to the Selected Columns area. The data you select here should be 
the item you want to count by. For example, to show how many addresses each of your 
attacker zones have, you would select the attacker address. 

Selected 

Columns 

The Selected Columns area shows which data fields you have selected for the Y-axis, 
and provides the opportunity to change the sort order of the data. 
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Y-Axis Attributes for Charts, continued 


Y-Axis 

Data 

Attribute Description 

Summary 

Function 

You can assign a summary function to one or more columns of data. (In the “Function” 
row for a column, click in the column to get a drop-down menu of functions.) 

• Count - Provides a count of all line-items returned by the query. 

Note: The Count function is a simple count of all events. It takes into consideration 
the aggregated event count and counts each event in an aggregated event 
individually. For example, if an event has an aggregated event count of 5, the Count 
function counts this event as equivalent to 5 events (with an aggregated event count 
of 1 each). Take this into account when comparing the number of rows in a report 
with the “grand total” count based on the Count function. 

. Count Distinct - Provides a count of how many items are unique. For example, if 
there are 100 IP addresses but only 5 of them are unique, the system counts 5. 

. Average - Adds the results of numeric data and divides by the number of line items. 

. Sum - Adds the results of numeric data. 

. Max - For numeric data, Max calculates the line item with the highest value. 

. Min - For numeric data, Min calculates the line item with the lowest value. 

. Median - For numeric data, Median calculates the line item with the value closest to 
the middle between high and low. 

• Standard Deviation - For numeric data, measures the dispersion of the values in the 
data set (how spread out they are). If the data points are all close to the mean, then 
the standard deviation is close to zero. If many of the data points are far from the 
mean, then the standard deviation is further from zero. If all the data values are equal, 
then the standard deviation is zero. The Standard Deviation is the square root of the 
variance. 

. Variance - For numeric data, measures how spread out the distribution of data is. 

The variance is computed as the average squared deviation of each number from its 
mean. The variance and the standard deviation are closely related measures of 
dispersion and variability. 

Selecting one of these functions activates the Aggregation tab, where you can set 
further parameters on these functions. To set a function, select a column, and choose a 
function from the Summary Function drop-down menu. 

Y-Axis 

Title 

Type in a title for the Y-axis. 
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Y-Axis Attributes for Charts, continued 


Y-Axis 

Data 

Attribute 

Description 

Label 

Rotation 

Select a rotation angle for the by entering a digit between 0 and 90. 

Labels refer to the individual Y-axis data points, which are automatically derived from the 
data. The Label Rotation controls the angle of these labels. 

Sort by 

Optionally, choose a sorting order for the data on the Y axis. You can display data 
alphabetically (the default), reverse alphabetical, or sort by count. 

Caution: If you are plotting a Z-axis (data series) and your output is a bar chart, make 
sure to set your sorting on the X-axis. 


Selecting Data for the Z-Axis on a Chart (Optional) 

The Z-Axis subtab is available only if you check the "2 sets of data (z-axis)" checkbox because you 
want to plot data in a series fashion. The only available option on the subtab is to select a column for 
the Z-Axis. 

Tip: Best practices when using series (Z-axis): 

If you are setting data on the Z-axis, note that you cannot use Top N Charts. Also consider the 
effect of the "Row Limit" setting in the query. For example, if your row limit for a normal chart (X- 
and Y-axes only) is 10 rows, you will get 10 data points. Fora stacked chart with Z-axis, you will 
still get 10 data points but two will be in the same column. You can try a limit of 25 to 30 rows, 
which makes the chart readable, but could cause a readability issue if there is not a lot of overlap 
(stacking) in the data series. 

Effect of Sorting on Bar Charts with Series Data 

You might encounter unexpected results in your bar charts (stacked or not stacked) if you are plotting 
data on the X-, Y-, and Z-axis. Consider the following stacked barcharts, where the expected result is 
shown in Example A but the actual result shows as Example B. In Example B, the stacks seem to 
spread out along the X-axis as separate data points (the samples are only to represent the behavior 
described in this topic). 
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rl 



Example A: Expected Result 


Example B: Actual Result 


The following configurations can result to a stacked chart report similar to Example B: 
• The query has an ORDER BY statement: 


"[] 


Query : stacking bar chart query 


Query : stacking ba r chart c. 


General i Fields j Conditions [ Local Variables | Notes 


Query Structure 

■ I * - * 


SELECT 

Category Behavior 
Target Address 

Sum(Aggregated Event Count) SUM 
Add 'SELECT' columns 
GROUP BY 

Category Behavior 
Target Address 


c 


Add 'QRQUP BY' columns 


IRDER BY 

Sum(Aggregated Event Count) SUM DESC 
Add 'ORDER BY' columns 


3 


The query is not wrong; in fact, the report rendered as a table shows correctly. Additionally, the 
query may be driving other resources like query viewers and so on; therefore, you should not 
change the query in this case. 

• The chart is configured for z-series data plotting: 




Again, there is nothing wrong with this setting if you want to plot a data series. 

• The column included in the ORDER BY statement from the query is applied to the Y-axis and 
sorting is also enabled: 
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Report : stacking bar chart and table report 


CD B 


S3 



Using the query’s ORDER BY column on the Y-axis and also applying the sorting to the Y-axis 
gives you the Example B report, the one you did not expect. To fix this problem, configure the report 
so that sorting is ignored on the Y-axis. Instead, apply sorting to the X-axis according to the 
following instructions. 

To configure the report so that it sorts on the X axis: 

1. Goto the chart’s setting for the X-axis parameters and click the entry under Selected Columns. 

2. Click the Sort checkbox and select the sort order as desired. 
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You do not need to remove sorting on the Y-axis as long as sorting is enabled for the X-axis. The 
X-axis takes precedence, and the resulting report will now be like Example A. 


Specifying Top/Bottom Filters Aggregation Filters for a Chart 
(Optional) 


You can also set Top/Bottom Counts for a chart. This tab only becomes active when a summary 
function is applied to data in the Y axis. Settings in the Aggregation tab set top/bottom counts to data 
with summary functions applied. This is an optional step. 



Top Bottom Filter: Optionally, 
use aggregation to set top/ 
bottom counts for Y-axis 
numeric functions. 


On the Chart Aggregation tab, set the top or bottom filter for the chart. If there are more charts in your 
report, repeat these processes until data is bound to all the charts and laid out in your report template. 
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Aggregation 

Top/Bottom 

Filter Description 

None (Show 
all) 

By default, no top/bottom filter is set. 

Top 

Select Top if you want to show the a certain number of entries with the highest 
values. Enter a digit in the text box, and from the drop-down list, select an 
appropriate 

Y-axis data column with a function applied. 

Bottom 

Select Bottom if you want to show a certain number of entries with the lowest 
values. Enter a digit in the text box, and from the drop-down list, select an 
appropriate Y-axis data column with a function applied. 


Setting Display Options and Scale Formats for Charts 

Use the Display Options subtab to specify visual formats on the chart. These options, unless 
otherwise noted, simultaneously apply to the X- and Y-axes. 



Category 

Attribute 

Description 

Display Options 
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Category 

Attribute 

Description 


Font 

From the drop-down menu, select a font style and size for the X- and Y- 
axis text. 


Show 

Legend, 

Placement 

Select this box to show a legend of the data elements. Keep in mind the 
number of different data elements your query may return. If the data you 
selected contains many elements, the legend may be large, which 
reduces the available space for the chart itself. If you choose to display 
the legend, you can move its location from choices in the Placement drop- 
down menu. 


Show X- 
Axis grid, 

Show Y- 
Axis grid 

For the selected axis, include the grids on the report. The X-axis grid 
displays as vertical lines per data point, and the Y-axis grid displays as 
horizontal lines. 

Scale and Format 

Data (x- 
axis) 

Show 

Labels 

Select this box to display the labels for data points on the X-axis. 

Data (y- 
axis) 

Logarithmic 

Scale 

Use this option if your data point deltas are so huge that incorporating 
them on the chart poses a readability issue; for example, one data point is 

1 ,000 and the next is 100,000. With logarithmic scaling, values are then 
displayed in orders of magnitude instead of linearly. 


Show 

Value 

Displays the value of the data point. 


Min 

The minimum value as a starting data point to plot on the chart. For 
example, if you set it to 1000, values below that will not be plotted. The 
chart begins at 1000 on the Y-axis. If left blank, plotting starts at the 0,0 
position. 


Max 

The maximum value for the data point. 


Incr 

Increments to use on the Y-axis starting with the specified minimum. 


Binding Data to Tables 

If the template you selected contains a table, use the Table Fields tab to build a visual representation 
of a table in which to display the query result. You can choose the type of data source (trend, query, 
active list, or session list) and the particular data source (which query, trend, and so forth) to report on. 
Then you can select which fields from the data result to appear in your report (with the “Use” check 
box). Use Groups to combine fields into a single column in your Report table (drag and drop or menu 
commands available for the report table). 
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Table 

Data 

Description 

Data 

Source 

From the drop-down menu, select an existing data source you want to use for the table part 
of your report. 


The data source drop-down menu provides a list of existing resources based on the 
resource type you selected in the accompanying drop-down. You can report on queries, 
trends, active lists, or session lists. 


When the data source is selected, the remaining elements of the Data tab are populated 
with the data from the selected resource. 


Inspect/Ed* 


Event InspectoH S VPN Logins 
Attributes Tei ipiate C^ta Parameters Jobs Notes 
IS] Table 


Data Source: VPN Logins Outcome - Hourly v j ^ Queries 


Fields 

Avaisble Columns: 


Width 
Sort 
H. Ahgn 
V. Aign 
Page Break 







Timestamp 

Category Cutoamc (Court) j 

Category Outcome 

Hour 

a 

7 


0 





Time 

Number of Logins 

Category Outcome 

Hour 

AUto 



Auto 









bottom 



0_ 




Custom Layout: User speeded layout 


Display Options 

Choose font and color settings for the table. Ckk on a column above to set ndrvidual column fonts and colors. 
Font: 


Foreground: | □□ 


Background: [ C ZH 


Global Options 

0 Merge cels 
0 Show group header 
0 Show group cokxnns 


Data Source: Choose an 
-Oexlstlng resource on which to 
run the report. (Available 
sources will depend on which 
resource type is selected.) 


Resource Type: Choose the resource 
-Otype. You can report on queries, 
trends, active lists, or session lists. 


□ Show grand total 
Label: 


Fields and Groups: Select the 
data fields you wan to display in 
the table (by enabling Use for a 
=~0 field you want to show). 

Provide a display name alias and 
specify data sort order in the 
column by dragging and 
dropping fields to desired 
location in column order. 

Group multiple fields in a single 
column by dragging fields into 
Groups. 


Display Options: Select a 
column or group to set font, 
foreground, and background 
display options. 


>— O Global Options: Global options 
apply to the whole table. 


^Preview... 


[ <* 1 1 Cancel [ [ Appty 


Specifying Fields for a Table 

In the Available Columns area, you can select the fields you want to display in the table, group 
multiple fields into a single column as needed, assign Alias names for column headings, specify a data 
sort order, and set column size and alignment options. 
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Available Columns for Tables 


Attribute 

Description 

Groups 

Optionally, you can sort data results from queries by grouping two or more fields into a 
single column. 

To create a group: Right-click in the Groups row fora column and choose Make Group. 
In the dialog, enter a name for the new group and add the selected field. 

To add fields to a group: Drag fields from the Fields row to the Groups row. 
Alternatively, right-click a field and choose Add to Group. In the dialog, enter a the 
group's name. 

Fields 

This displays fields as columns for your report. The field name is displayed as it is 
referred to in the database. This field is not editable. 

Use 

By default, all data entries are selected for use in the table. If you do not want to use all 
the available columns, uncheck the corresponding check box. 

Caution: If you de-select a data entry because you do not want to use that column in the 
report, the column is automatically pushed to the far right (the end of the table) to move it 
out of the way so that you can focus on the columns you are using. If you then select 
“Use” again for that same data entry, its column is re-inserted into its original position 
along with the other columns you have selected to use. 

Function 

To set a function on afield, click in the Function row for that field's column. Select the 
function you want to apply to the column from the Function drop-down menu. After the 

function is set, the field appears with the function icon (1 !). 

Fields set with functions can be filtered in the Aggregation tab. 

Alias 

Enter a display name alias for the data column. For example, if the column is referred to 
as Source Translated Zone Name in the ArcSight database, you can shorten this name 
to Zone Name orSrc Zone for display in the report table. In our example, we provide the 
aliases Time instead of Timestamp and Number of Logins for Category Outcome 
(Count). 

Width 

Set column Width to either of the following options: 

• Auto - Automatically divides column width evenly among the selected columns 

• User Specified Layout - This option requires that you enter numbers to specify 
percentage widths for individual columns. 

Sort 

Indicate the sort order for the data in each column. 

H Align 

Right-click in the H Align row to display a drop-down menu for specifying horizontal 
alignment of text in a given column. You can select text to be left- aligned, centered, or 
right-aligned in the corresponding column. 
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Available Columns for Tables, continued 


Attribute Description 

V Align 

Right-click in the V Align row to get a drop-down menu for specifying vertical alignment of 
text in a given column. You can select for top, bottom, middle, or baseline text in the 
corresponding column. 

Page 

Break 

Right-click in the Page Break row in a column to get options for specifying a page break 
before or after the that column. 


With the Custom Layout options, you can specify custom column widths for the data in the table. By 
default, the Custom Layout drop-down menu shows User Specified Layout, which enables you to 
enter a numeral to specify a percentage for individual columns. Select one of the following: 

• Fit content - Adjusts the column width to accommodate its content without wrapping. If the content 
is wider than the table, the table is extended to multiple pages. 

• Fit content one table area per page - Adjusts the column width to accommodate its content 
without wrapping, and breaks each column onto its own page. 

• Fit content to page - Adjusts the column width to accommodate its content without wrapping, and 
stretches the last column to fill the page. 

• Equal width columns- Each column receives the same width to fit across a single page. 

• User specified layout - Enables you to enter a numeral that represents a percentage of the overall 
page width. You can set a percentage for each column that totals 100%, or enter a percentage for 
one column, and the others selected receive an even percentage of the space remaining. 

The Display Options area provides format options for each individual data column. This enables you 
to set different font style, size, and color and column background colors for each data column. To 
activate the display options, select one or more data columns: 

• To select one column: click the column by its Field name. 

• To select one or more contiguous columns: click a field, hold down the Shift key, and select the 
remaining fields. 

• To select one or more non-contiguous columns: click a field, hold down the Ctrl key and select 
the remaining fields 


Attribute Description 

Font 

From the drop-down menu, choose a font for the selected columns. 

Foreground 

Color 

Foreground colorfortext, any visible lines that describe rows/columns, and other 
elements in the foreground. 

Background 

Color 

Background (field) color for the data column. 
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In the Global Options area, you can set formatting options that apply to the whole table (not just one 
column). 


Attribute 

Description 

Merge 

cells 

Indicates whetherto merge cells for grouped columns. When this option is enabled, 
identical values in grouped columns show only once. When this option is disabled, 
identical values show as many times as they are occur (regardless of whether they are 
grouped). 

Show 

Indicates whetherto show a group header row. 

group 

header 

This is a group label for when you have a summary function that adds one more rows at 
the end of the section. If this option is enabled, the table includes an extra column with a 
header derived from the content by which the section is grouped. 

Show 

group 

columns 

Enable this option to populate the grouped columns with data. (If this option is disabled, 
grouped columns are empty.) 

Grand 

total 

If you want to provide a grand total of all the sections, check the Show grand total box. 

Label 

If you selected a grand total, you can apply a label for the grand total. For example, use 
Total VPN Login Attempts. 


Click the Preview button to preview the report table with the current configuration. 


Enabling the Aggregation Tab for a Table 

If your report is using the Table template, the Aggregation tab is disabled by default until the following 
requirements are met on the report’s Data > Fields tab: 

• At least one of the columns is assigned to a group. 

• At least one of the columns must be set with a function. 

The following scenario describes the process to enable the Aggregation tab. 

1 . Define the query. For example, you want to look at event names by priority. In the query’s Fields 
tab, select the columns you need (Name and Priority in this case). After selecting the columns, 
add these same columns to the GROUP BY list. In the Conditions tab, define the conditions for 
the query (for example, you are interested in Priority greater than 3). 

2. Create a report. On the Template tab, use one of the table templates (for example, Simple Table 
Portrait). In the Data tab, specify the query defined in the beginning of this procedure as your data 
source. The Fields tab is automatically populated by the columns from the query, in this case, 
Name and Priority. 

3. On the Fields tab, create a group for one of the columns (for example, for Priority), then select a 
function for another column (for example, for Name) from the drop-down list. Columns with 
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functions can be filtered through the Aggregation tab. For instructions on how to add columns to 
groups and how to apply functions to columns, see "Query Type" on page 306. The Aggregation 
tab is enabled after you click Apply. 

Setting Top/Bottom Counts in Table Aggregation Tab 
(Optional) 

If the Aggregation tab is enabled, you can set optional top/bottom counts to data with functions applied 
to individual fields. The following example shows the format used is Function(Field). This is an optional 
step. 

[T] Report:ReportByPriority 

Attributes j Template Data Parameters | Jobs | Notes 

HU Table 

Data Source: 

OueryByPrioritY ▼ E^l Queries ▼ 

| Fields] Aggregation | 

Set a top or bottom filter for the chart (optional) 

Section that will be filtered: Priority ▼ 

How do you want to filter the chart data? 

(^) None (Show all) 

Top by means of Count( Name ) ▼ 

O Bottom 4 by means of Count( Name ) ▼ 


On the Aggregation tab, set the top or bottom filter for the table. If there are more tables in your report, 
repeat these processes until data is bound to all the tables and laid out in your report template. 


Aggregation 

Top/Bottom 

Filter Description 

None (Show 
all) 

By default, no top/bottom filter is set. 

Top 

Select Top if you want to show the a certain number of entries with the highest 
values. Enter a digit in the text box, and from the drop-down list, select an 
appropriate 

Y-axis data column with a function applied. 

Bottom 

Select Bottom if you want to show a certain number of entries with the lowest 
values. Enter a digit in the text box, and from the drop-down list, select an 
appropriate Y-axis data column with a function applied. 
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Setting Default and Custom Report Parameters 

The report's Parameters tab is where you set report output details such as file format, paper size, and 
routing instructions. From here you can also set limits on the query return such as row limits and time 
zone restraints, apply filters, and specify report start and end times. 


[*1 ReportChartB^norey 

Attrtoutes Tempdte 

Data Parameter* jobs 

Hotel 

Report Parameters 



Name 

value 

USe Defalt 


E3 Common Parameters 



Report Format 

Pdf 



Peg* Sot 

letter [9.5*1:*) 



Riai «u»er 

EmaJ to 

Select a l)*er 



Emal adcfresse 

Emarf Fermat 

Send 1*1 



Emai Subject 

IReportName 



B Cestom Parameters 



Start Tee 

SNow - lh 



EndTm* 

SNow 




-yAdd... ] f Edt 

□ [ XtaMpee rf 

Query Parameters 



Name 

Value 

UseOefaJt 

Q (hart 



Tfcne Zone 

Manager Tme Zone 


Flter by 

Row lest 

SeJectaFfter 

✓ 

Start Tme 


V 

EndTme 


W 




^Preview... 

OK Caned 

] j 1 









V 


-o 


r 


Report Parameters: Set 

report output details. 


Custom Parameters: Add 

and edit custom parameters. 


Query Parameters: Set 

override parameters for 
query data selected for each 
element of the report. 


In the Report Parameters area, enter the following values. The Use Default checkboxes do not apply 
to these items; the default values are used until you uncheck the boxes and use a new value. Note that 
users can re-set most of these parameters at report runtime. 
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Report Parameter Values 


Common 

Parameters Description 

Report 

Format 

From the drop-down menu, select one of the following report output formats: 

• pdf - Outputs the report as an Adobe PDF file. 

• xls- Generates a Microsoft Excel file for tables and charts. 

Note: XLS reports you run with Microsoft Excel 2002 might have page break 
format problems (misalignments, column spillover) due to default page size 
settings in Excel. To correct this problem, open the resulting XLS report in Excel, 
choose File > Page Setup from the menus, change the paper size to Letter 
(instead of Legal), and click OK to save your changes. The report has the 
appropriate page break formatting. This problem does not occur in newer versions 
of Microsoft Excel. 

Note: XLS report formats display speedometer charts as pie charts. This is a 
known limitation in Microsoft Excel. 

• rtf - Produces a rich-text format document. 

• csv - Creates tabular data as a list of comma-separated values. 

Note: Reports generated in CSV format are not the full equivalent of exports to 
other formats like PDF or HTML. CSV format is useful for loading report data into a 
spreadsheet for further manipulation. Since CSV is meant to contain tabular data, 
only the table data of a report is normally useful. Therefore, ArcSight exports only 
the table data portion of a report to CSV format, ignoring any other report 
information such as charts or text, including report titles. 

. html - Generates the report in a Web page displayed by the default web browser. 

Your selection affects your choice for e-mail formats. See description for Email 

Format, another report parameter, in this table. 

The output file is created at report runtime and is stored in the Archived Report Group 
corresponding to the report’s group. See the Archives tab on the report’s edit panel. 

Page Size 

From the drop-down menu, select a paper size. 

Run as 

User 

Run the report as a particular user. From the drop-down menu, select the user name 
by which you would like to run the report. 

For example, this option would allow an administrator for a Managed Security Service 
Provider (MSSP) to run report for a customer. The administrator would need write 
permissions to the user. 

Note: This option is not available for case reports. 
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Report Parameter Values, continued 


Common 

Parameters 

Description 

Email to 

You can have the report sent as e-mail to one or more ArcSight users. 

From the drop-down menu, select the Console users to whom the report should be e- 
mailed. The selection list is read from the Users resource). 

The recipient will only see his or her user name in the To field even if there are multiple 
recipients for this report. 

Handling empty reports: If you are emailing reports, empty reports will also be sent. 
This is determined by the server property, report, scheduler. notify_empty_ 
reports, which is set to true. If you don’t want empty reports to be sent, add the 
property to the server, properties file and change the setting to false. Follow the 
instructions in the ESM Administrator’s Guide on how to edit this file. The details are 
in the guide’s Configuration chapter, topic on Managing and Changing Properties File 
Settings. 

Email 

addresses 

Send the report to one or more comma-separated or semicolon-separated e-mail 
addresses. This option does not require the recipient to be an ArcSight user. 

Note: The recipient will only see his or her e-mail address in the To field even if there 
are multiple recipients for this report. 

Email 

Format 

Specify how the report is to be accessed by the recipient. 

• Choose Send URL if you want to point users to the report. Use this option if the 
report is large and is saved (archived) to a network-accessible location 

You can provide URLs for all report formats: PDF, XLS, RTF, CSV, and HTML 

• Choose Attach Report if you want to send the report directly to the user's e-mail 
box. 

You can only attach PDF, XLS, RTF, and CSV report formats. 

• Choose Attach Compressed Report if you want the PDF, XLS, RTF, or CSV 
report to be compressed (zipped) first before mailing. 

• If you want to display the report on the e-mail message body so that the recipient 
immediately sees the report upon opening the e-mail, select Embed Report. 

You can only embed CSV and HTML report formats. 

Note: If you select an email format for an unsupported report format, the notification 
automatically uses the URL. 

Email 

Subject 

Specify the subject on the notification. Defaults to the report’s Name attribute (denoted 
by $ReportName). If you want to use a customized subject, type the text either in 
addition to the default or replace the default text entirely. 
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Note: If you are emailing reports, empty reports will also be sent. This is determined by the server 
property, report, scheduler. notify_empty_reports, which is set to true. If you don’t want 
empty reports to be sent, add the property to the server . properties file and change the setting to 
false. Follow the instructions in the ESM Administrator’s Guide on how to edit this file. The details 
are in the guide’s Configuration chapter, topic on Managing and Changing Properties File Settings. 

Adding Custom Parameters for Report Data 

To add a custom parameter that applies to the Report data: 

1 . On the report's Parameters tab, click the Add button. Parameters added here override those set in 
the query. For example, if you want all the report elements to report on events for the past 2 hours, 
you can create a start time parameter of $Now-2h, which sets both table and chart start times to 
$Now-2h. Custom parameters are saved locally to the report definition, and are not persisted back 
in the query. 

2. Give the parameter a name and map it to a query parameter. 

3. Click OK to apply them to the report definition. 

4. Back in the Parameters tab in the Custom Parameters section, enter an override parameter for 
the fields you selected from the Add Custom Parameters dialog. 

5. In the Query Parameters area, enter any override values for the parameters in your query data. 
The Use Default checkboxes are only activated for items where default parameters exist and 
override values can be entered. 

Enter these override parameters as needed for each chart and table. 


Query 

Override 

Parameters 

Description 

Time Zone 

By default, the Manager Time Zone is used. Choose the Console time zone, or 
another time zone from the drop-down list. 

Filter By 

Set a filter to operate on the query conditions. 

Row Limit 

The report gets its row limits from the settings in the query being used. By 
default, row limit fora table is 10000 and row limit fora chart is 25. 

You can change the default to manage row size. 
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Query 

Override 

Parameters 

Description 

Start Time 

The report gets its start time from the query being used. To override the one set in 
the query, disable Use Default for this field and specify a start time here. 


For example, if you want all the report elements to report on events for the past 2 
hours, you can create a start-time parameter of $Now-2h, which sets both table 
and chart start times to $Now-2h. 


This setting is saved locally as part of the report definition, not as part of the 
original query upon which the report is based. 

End Time 

The report gets its end time from the query being used. To override the one set in 
the query, disable Use Default for this field and specify an end time here. 


This setting is saved locally as part of the report definition, not as part of the 
original query or trend upon which the report is based. 


6. Click Apply to save settings or OK to save settings and close the Inspect/Edit details for this 
report. 

Displaying a Custom Parameter Prompt at Report Runtime 

You can configure your report to prompt for a value at report runtime. If so, the user is prompted by the 
Parameters dialog box to enter a value before the report is created. This prompt will be based on one of 
the report’s custom parameters. For example, you have a report which is based on a query on assets, 
and you want the user to enter the first few characters of the host name when the report is run, so that 
the report contains data only about those hosts. The configuration is a two-step process: 

• "Defining the Prompt in the Query’s Condition Tab" below 

• "Adding or Removing a Prompt for Custom Parameters in the Report" on page 408 

Defining the Prompt in the Query’s Condition Tab 

The following procedure instructs you to create a query condition to associate a prompt with a specific 
field used by the query. 

1 . On the Reports resource, select the Queries tab. 

2. Locate the query (this example uses an asset-based query) being used by the report, right-click, 
and choose Edit Query. 

3. Go to the query’s Conditions tab. 
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4. On the Field Set or CCE panel at the bottom of the tab, locate the field for which you want to 

display a prompt, for example, Host Name. 

5. To prompt for a value for the Host Name field: 

a. Select a logical operator. This example uses StartsWith. 

b. Click the Browse icon ( ). 

c. In the Advanced Editor dialog, click the Parameter check box to display the Prompt and 
Default Value fields. 

d. In the Prompt field, provide a meaningful name for this prompt. For example, your prompt can 
say HostName Starts with to match your logical operator. Notice that spaces are 
automatically replaced by underscores. 

e. Enter a default value (case sensitive) which can be changed at report runtime. The following 
example uses VA for host names starting with that string. 



Note: When specifying default values for the prompt, remember that string values are 
case sensitive. 

f. Click OK. Click on the field again on the Field Set or CCE panel to save your condition. 

The Console automatically inserts the @ symbol in front of your prompt name, replaces spaces 
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with underscores, and also adds this condition statement as shown: 
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The @ symbol is 
automatically inserted 
and spaces are 
replaced by 
underscores. 


6. Save your query. The condition you just added will be displayed on the report’s query parameters 
list. The next step is to add this prompt as a custom parameter in the report. 

Adding or Removing a Prompt for Custom Parameters in the 
Report 

After following the instructions in "Defining the Prompt in the Query’s Condition Tab" on page 406, 

follow the instructions hereto add the prompt to the report's parameters. Instructions are also provided 
for deleting custom prompts if you no longer require them. 

To add the prompt: 

1 . On the Reports resource, select the Reports tab. 

2. Locate the report, right-click, and choose Edit Report. 

3. Go to the Parameters tab and verify that the field configured in the base query is listed in the 
Query Parameters list. 

4. Click the Add button ( Add ') to display the Add Custom Parameter dialog. 
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5. Under Map to Parameters, check the parameter corresponding to the prompt name, then enter a 
meaningful name in the Name field. 


The name used here will be displayed to the person running the report, so make sure the name you 
use clearly states what the report is expected to display (host names starting with a specified text 
string). 


Name: Hostname_Starts_with 


Map to Parameters 


[■ill Table 

i r 

eh] Time Zone <ReportTimeZoneEnumeration> 

i w 

Eg 1! 

1 □ 

e=] Row Limit <Integer> 


Caution: In the query condition, spaces are resolved with underscores but not here, so make 
sure you insert the underscores as required. 


Click OK. 

The custom parameter is added to the Report Parameters section. Notice that the default value for 
the custom parameter in the Query Parameters section is not picked up in the Report Parameters 
section. If you want the default value to be displayed by the prompt, enter the value in the Report 
Parameters section. 



Report : Report on Assets — i □ 0 ? 


Attributes [ Template f Data Parameters Jobs | Notes 

Report Parameters 



Query Parameters 


Name 

Value 

Use Default 

0 Table 

Time Zone 

Manager Time Zone 

u 

Hostname_Starts_with 

VA 


Row Limit 

10000 

m 


6. Click Apply or OK to save the report. 
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The next time you run the report, the custom parameter will be displayed in a dialog as in the following 
example: 



Based on the example, you can then enter the starting character strings (case-sensitive) of host names 
to be included in the report. If a default value is displayed, choose to run the report with the default or 
replace the value before running. See "Running and Managing Reports" on page 448 for more details on 
how to run a report. 

To remove the prompt: 

If the report no longer requires a prompt, revert your prompt configurations in this sequence: 

1 . Remove the custom parameter from your report by selecting it on the report’s Parameters tab and 
clicking Remove. 

2. Remove the condition for the prompt from your query by right-clicking it on the query’s Conditions 
tab and selecting Delete. 


Generating Reports with Asian Fonts 

This topic provides setup procedures so reports can display Asian character sets. 

To generate reports that properly display Asian character sets: 

1 . Configure the operating system and the ArcSight Manager to support the Language you are using. 

2. Make sure you have the Adobe Acrobat Reader 9 or later to view the PDF report. 
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If the Manager is running on Linux, do the following: 

1 . Download ARIALUNI . TTF font from the Linux support site. 

2. Go to the /usr/share/fonts/ directory and create a subdirectory called /arial. 

3. Copy ARIALUNI .TTF to /usr/share/fonts/arial. 

4. Make a backup of the $ARCSIGFIT_FIOME/reports/sree . properties file. 

5. Add this property to sree. properties: font .truetype. path=/usr/share/fonts/arial. 

To generate a report in PDF format to display Chinese, Japanese, Korean (CJK), or 
Romanian characters: 

1 . Log in to the ArcSight Console and open the report. 

2. Find the template used by the report. 

3. Edit the template and select Open in Designer. 

4. Edit the fields that need to display these characters. 

5. Set the fonts to Arial Unicode for the fields that display these characters 

6. Save the template and click Apply. 

7. Run the report with PDF format. 

8. Open the generated report (using Adobe Acrobat Reader 9 or later for PDF) to see these 
characters. 

To generate a report in RTF format to display Chinese, Japanese, Korean (CJK), or 
Romanian characters: 

1. Log in to the ArcSight Console. 

2. Select Edit > Preferences > Global Options. 

3. Set the font to Arial Unicode MS. 

Creating Focused Reports 

In addition to using the reports already available in the Navigator panel's Reports resource tree, you can 
easily make and save refinements to these definitions. These more narrowly defined orfocused reports 
are also stored in the resource tree, so other people can also use them. 


HP ESM (6.9.1c) 


Page 411 of 1106 



ArcSight Console User's Guide 
Chapter 14: Building Reports 


Focused reports are identical to other reports. They differ only in being useful variations on already 
defined reports. You create focused reports when you want to make a special variation available to 
other ArcSight users through the Reports resource tree. 

Note: A focused report reflects changes made to the report on which it is based. 


To create a focused report: 

1. In the Navigator panel, choose the Reports resource tree. 

2. On the Reports tab, right-click a report and choose New Focused Report. 

3. In the Focused Report Editor, select the Attributes tab and name the report. Name focused 
reports in a fashion that properly distinguishes them from their originals. 

4. Click the Parameters tab and change any of the values as appropriate. These values are the 
same ones you set when Running a New or Archived Report. 

Tip: You can use Velocity template references for parameter fields that accept text, as 
described in "Velocity References for Reports" on page 1097. 

5. Click Apply to make changes and keep the editor open. Click OK to store the definition in the 
resource tree in the same folder as the original report and close the editor. 


End-to-End Reporting Examples 

This topic includes two examples: 

Quick-start example with Report Wizard - An introductory example of how to create a simple report 
on the results of a single, stock query with the Report Wizard. 

Advanced example - A more in-depth example reporting on the results of several trend-queries and 
using a heavily-modified 3-charts template. This example walks you through creating the following 
resources for example queries, trend, and report: 

• A base query that captures data about number of VPN login attempts per hour. 

• A trend that takes the base query as input, executes it, and stores captured data per a schedule you 
define. 

• Queries that build on the trend to filter on various VPN login outcomes. 

• A report that uses the complex queries as data sources and provides visual representations of 
query results in charts and tables based on an ArcSight provided template. 

Even if you do not anticipate immediately having to create these elements from scratch (ArcSight 
provides a starter set of stock reporting content), we suggest working through both the simple example 
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and the more complex one to gain an understanding of how queries, trends, and templates work 
together in the context of reporting. 


Example of Creating a Simple Report with the Wizard 

1 . Navigate to the Reports resource in the Navigator panel and click the Reports tab. Right-click 
your user folder and choose Start Report Wizard. 

Click Next on the wizard's welcome page. 

2. On the Report Name page, enter a name for your report (this example uses My Top 10 Events 
Report). Click Next. 

3. On the Data Sources page, select the Queries tab (if not already selected, and navigate the 
Queries tree to choose an existing query. For this example, we select the Top 10 Events query, 
which you can find in Queries/Shared/All Queries/ArcSight Administration/ESM/System 
Health/Events/Top N Activity Reports/. 



Click Next. 

4. On the Template page, select a template. For this example, select the Simple Table Portrait 
template under /Report Templates Shared/All Report Templates/ArcSight System/. 
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Click Next. 

5. On the Bind page, review the data source you selected in a previous step. In our example, we 
chose the Top 10 Events query. 

Click Next. 

6. Review the report configuration summary and verify that all previous settings are reflected here. 

7. When you are satisfied with the report configuration, click Finish on the last page of the Report 
Wizard. 

The Report Editor is automatically displayed on the Attributes tab. 


Event Inspector 

W Report Editor 





Attributes Template Data Parameters Notes 

B Report 
* Name 

B Common 

External ID 

Alias (Display Name) 

Description 

Version ID 

My Top 10 Events Report 

Deprecated 

B Assign 

Owner 

Notification Groups 

□ 
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8. Click Apply or OK on the Report editor to apply the report name and create the report. 

9. The new report is added to your Reports folder shown in the Navigator. 



1 0. On the Navigator panel Reports tree, open your Reports folder, right-click the new report and 
select Run > Report with defaults. 


Advanced Reporting Example Overview 

We build an example query that shows the number of login attempts on a virtual private network (VPN). 
Then, we use the query in a trend to collect data on VPN login attempts on an hourly basis. Next, we 
build several more focused queries on top of the trend to get views into particular slices of the data (all 
login attempts, successful logins, and failed logins). 

Finally, we use the data results from the queries and trends to create a report. To format the report, we 
use one of the ArcSight provided templates. 

Start by navigating to the Reports resource in the Navigator panel, then follow these steps to build the 
example report: 

Note: You need a set of canned VPN login events to properly verify the query and trend resources 
created for this example. 


Step 1 - Build the VPN Logins Outcome Query 

Start by building a base query that captures VPN Login Data to return a count of hourly VPN login 
attempts. Following is a summary of configuration details you can use to create this query. (If you need 
more general helpon creating queries, refer to Building Queries.) 

Query Name and Other General Attributes 

Create a new query, name it, and set the required attributes for it on the Query General tab as shown. 
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Query Attributes 

Value 

Name 

VPN Logins Outcome - Hourly 

Query on 

Event 

Start Time 

$Now - Id 

End Time 

$Now 

Use as Timestamp 

End Time 

Row Limit 

10000 (this is the default) 



Fields to Include in Query Result 

On the Query Fields tab, select fields and apply functions as shown to populate columns in the table of 
result data. 


Selected 

Fields 

Description 

Category 

Add the Category Outcome field to the Query Structure list by clicking the Add SELECT 

Outcome 

columns link. This enables the Query Structure’s toolbar icons and also opens the 
SELECT panel. 


Query Structure 


■ @1 -*■ ^ I A 


From the Field Sets panel at the bottom, select Category\Category Outcome to add it to 
the list. This column contains the outcome of each login attempt (success or failure). 
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Selected 

Fields Description 


Category 

Outcome 


Add a second Category Column to the Query Structure list to which you will apply the 
Count function. 


(COUNT) 


To get this, click the Category Outcome column you just added, then click the 
Duplicate Column icon on the toolbar. While this duplicate is still selected, click on it to 
display the column’s edit panel. Select COUNT from the Function drop-down menu (the 
first field), then click the checkmark icon to apply your changes. 



Hour 


Move this column to the top of the list using the arrow on the toobar. 

Add the variable called Hour which returns the hour value based on the end time of the 
event. 


To get this variable, on the SELECT panel click the Fields & Global Variables tab. 
Expand /All Fields/ArcSight Foundation/Variables Library/Timestamp 
Formats and select Hour. This column contains the date and time of the login attempt. 


After you click Apply, the Group By list is automatically populated with Category Outcome and Hour. 


Query: VPN Logins Outcome - Hou... 


Fields 

Conditions 

Local Variables 

Notes 


Query Structure 

I ft - - A 

SELECT 

Count(Category Outcome) COUNT 
i Category Outcome 
i Flour 

1 Add 'SELECT' columns 

GROUP BY 

Category Outcome 
j Flour 

Add 'GROUP BY' columns 

ORDER BY 

1 Add 'ORDER BY' columns 


Query Conditions 

On the Query Conditions tab, define some logical conditions for the login data that narrow the query 
result to return only the data you are interested in. Filter on VPN Logins by specifying that each login 
attempt must be categorized in a specific event category and device group: 

Category Behavior = /Authentication/Verify 
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Category Device Group = /VPN 

Also, each login attempt must have a target user name value: 

Target User Name Is NOT NULL 

Here is how the Field Conditions on this query should look in the display: 



Click Apply or OK in the Query Editor to save the new query. 

Step 2 - Build the VPN Logins Outcome Hourly Trend 

Next, create a new trend, name it, and set general attributes for it on the trend Attributes tab as shown. 
This trend uses the data results from the VPN Logins Outcome Query you just created. Keep the 
defaults for trend interval (1 hour to collect data on an hourly basis) and row limit at 1,000 (it stops 
collecting data when the table is filled at that limit). 


Trend Attributes 

Value 

Name 

VPN Logins Outcome - Hourly 

Query 

VPN Logins Outcome - Hourly 

Enabled 

On 

Trend Interval 

1 day 

Row Limit 

1000 (default) 
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Trend Attributes Value 

Offset Collection By 

1 day 

Trend Schedule 


Schedule Frequency 

Daily 

Occurs at 

Time when trend is being created in HH:MM:SS 



Under Data Fields, you can see the fields the trend is getting from the query initially reflected with the 
original field names: TimeStamp, Count(Category Outcome), Category Outcome, and Hour. For 
readability, change the first two fields to the aliases Time and Number of Logins as shown below 
(double-click on the actual field name and type over the existing name). 



From here, you can test the trend to ensure you are getting correct data. To do this, click the Test 
button on the trend Attributes tab. The Test Trend dialog returns an example result set. For each row, 
the Trend should return Timestamp, count of login attempts, Category Outcome (Attempt or Failure), 
Hour (from the Hour variable). 
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Trends also have schedules. On the Trend Schedule tab, define a schedule that specifies how often 
you want to run the trend. For the example, define this one to run every hour on the hour (Hourly, every 
1 hour at “0 minutes afteh’). 

A trend's range defines when to start and terminate the data collection. 

The trend starts as you specified and keep going until it is manually terminated. 

Here is the data collected from a trend that ran hourly for a few days. You can view result data from 
your trend in the grid view by selecting the trend in the Navigator and clicking the Data Viewer for it in 
the right-click menu. 


Viewer 



if 

' X 

(tf[| ArcSight User Status , |g| Latest Events By Priority 

U VPN Logins Outcome - Hourly Details 


Name: VPN Logins Outcome 

- Hourly 


871 shown / 871 matches 

Filter: No Fj | ter 



m 

J Time 

Number of Logins 

Category Outcome 

Hour 


27 Jul 2006 12:48:26 PDT 

26 

/Attempt 

12 

A 

27 Jul 2006 12:48:26 PDT 

100 

/Attempt 

13 


27 Jul 2006 12:48:26 PDT 

12 

/Failure 

12 


27 Jul 2006 12:48:26 PDT 

47 

/Failure 

13 



27 Jul 2006 12:48:26 PDT 

13 

/Success 

12 


27 Jul 2006 12:48:26 PDT 

54 

/Success 

13 


28 Jul 2006 08:48:26 PDT 

22 

/Attempt 

8 


28 Jul 2006 08:48:26 PDT 

80 

/Attempt 

9 


28 Jul 2006 08:48:26 PDT 

10 

/Failure 

8 


28 Jul 2006 08:48:26 PDT 

38 

/Failure 

9 


28 Jul 2006 08:48:26 PDT 

12 

/Success 

8 


28 Jul 2006 08:48:26 PDT 

42 

/Success 

9 


28 Jul 2006 09:48:26 PDT 

23 

/Attempt 

9 


28 Jul 2006 09:48:26 PDT 

78 

/Attempt 

10 


28 Jul 2006 09:48:26 PDT 

13 

/Failure 

9 


28 Jul 2006 09:48:26 PDT 

35 

/Failure 

10 


28 Jul 2006 09:48:26 PDT 

11 

/Success 

9 


28 Jul 2006 09:48:26 PDT 

42 

/Success 

10 



When you are satisfied that the trend is set up correctly, click Apply or OK in the trend Editor to save 
the trend. 

Step 3 - Filter the Trend Data (Login Attempts, Successes, 
Failures) 

You can further refine the VPN login query data by creating separate queries based on the trend, each 
of which capture information a particular aspect of VPN login events. Developing several trend-based 
queries like this (to show different data slices of common scenarios), gives you a rich set of data views 
from which to run reports later. 

Create three more queries all of which use the original trend as their data source, and then further filter 
the data to show only attempts, failures, or successes, respectively. Use each of these queries, 
Attempt, Failure, and Success, to further filter the login data captured in the trend: 

• Login Outcome Trend Query - Attempt 

• Login Outcome Trend Query - Failure 

• Login Outcome Trend Query - Success 
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As an example of how this is done, here are the details for creating one of these; the Failure Query 
definition. 

Create a new query and name it Login Outcome Trend Query - Failure. 

As the query's data source type (Query On), choose Trend and select the “VPN Logins Outcome - 
Hourly” trend. 

In the Query Fields tab, choose the same fields as in the original query to populate columns. 


^ Query: VPN Logins Outcome - Hou. . . 


General Fields Conditions Local Variables Notes 


Query Structure 

! m\ - - 1 * 

SELECT 

Count(Category Outcome) COUNT 
j Category Outcome 

Hour 

1 Add 'SELECT' columns 

GROUP BY 

f Category Outcome 

Hour 

! Add 'GROUP BY' columns 

ORDER BY 

1 Add 'ORDER BY' columns 


On the Conditions tab, specify Category Outcome = /Failure. The query only returns the login 
attempts that failed. 



Save your changes. You have now built a query that reports on failed VPN login trends. 

Create the other two queries (Login Outcome Trend Query - Attempt and Login Outcome Trend Query - 
Success) the same way specifying the appropriate Category Outcome condition for each. 

You are ready to report on the trend data. 
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Step 4 - Create the VPN Logins Outcome Report on Trend 
Data 

You can leverage multiple data sources in your report. For this example, you can use all three of the 
VPN Login trend-based queries you just built to create a report. 

On the Reports tab, create a new report in your user folder and name it VPN Login Outcome Trend. 

Choose a Template and Bind it to Result Data 

A Template defines the visual constructs of a report such as layout, portrait or landscape, number of 
tables, number and types of charts, placeholders for text areas, and so on. You can find the ArcSight 
provided templates under Report Templates/Shared/All Report Templates/Arcsight System/. 

In the Editor (Inspect/Edit panel) for your new report, click the Template tab and select the Three 
Charts Landscape to use as the Report Template. (Look in the drop-down tree under 3 charts/Without 
Table/ to find this template). In the preview panel you can see what the report template looks like. 
Double-click the template preview to open it in the viewer. Here you can see what the report looks like 
before adding the data. 
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On the Reports Data tab, you can bind each of the three charts in the template to each of the VPN login 
“trend” queries. (The data source type for each of these charts is a query, but remember that each of the 
queries uses a trend as its data source, which, in turn, was built on our original query.) 


Chart 

Description 

Chart 

1 

• On the Report Data Chart 1 tab, select Login Outcome Trend Query - Attempt as the 

Data Source for the first chart. This query returns the number of login attempts over the 
last hour. 

• For Chart Type, select a line chart. 

• On the Data (X-Axis tab, add the Hour value to the Selected Columns. This displays the 
Hour value on the horizontal axis. 

• On the Y-Axis (vertical) tab, place the Number of Logins (Category Outcome with 
“Count” applied to it) in Selected Columns. This displays the count of login attempts on 
the vertical axis. 

Chart 

2 

On the Report Data Chart 2 tab, select Login Outcome Trend Query - Failure as the data 
source for the second chart. This query returns the number of failed logins per hour. 

Configure this chart also to show the Hour value on the X (horizontal) axis, and the number 
of failed logins on the Y (vertical) axis. 

Chart 

3 

On the Report Data Chart 3 tab, select Login Outcome Trend Query - Success as the 
data source for the third chart. This Query returns the number of successful logins per hour. 

Specify the same assignments as the other charts for X and Y axis. 


Tip: You can click Apply to save the new Report and then continue working. It is a good idea to 
save frequently. 


Use Custom Parameters 

On the Report Parameters tab, you can view all the common parameters for the report (in Report 
parameters area), and all the parameters required for each chart (in Query Parameters area). 

You can also provide Custom parameters. You can use Custom parameters to tie together similar 
parameters from multiple queries for one consistent value. For example, we could do this with Start 
Time and End Time. 
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Use Custom Parameters to tie together similar parameters (like Start Time and End Time) 
from multiple queries for one consistent value. 


-o 


-O 


'-a 


Query Parameters 



Name 

Value 

Use Default 

Q 

Chart3 




Time Zone 

Manager Time Zone 



Row Limit 

25 

m 


Start Time 

SNow -Id 

m 


End Tme 

SNow 

m 

0 

Charts 




Time Zone 

Manager Time Zone 



Row Limit 

25 

m 


Start Time 

SNow -Id 

m 


End Time 

$Now 

m 

0 

Chartl 




Time Zone 

Manager Time Zone 



Row Limit 

25 

m 


Start T*ne 

SNow - id 

m 


EndTme 

SNow 

f9l 


Create a new Custom parameter called “start_time”: 

Click the Add button on the Parameters tab, and create a new parameter called start_time to prompt 
for Start Time field values. Map it to “Start Time” for all three charts (Chart 1 , Chart 2, and Chart 3). 



The custom parameter is added to the list of report parameters under Custom Parameters. 

Similarly, add an End Time by adding a new parameter called “end_time” and map it to End Time for all 
three charts. 

On the Parameters tab under Custom Parameters, use the drop down menus to choose the following 
values for your new parameters: 

• Setstart_timeto$Now-1d 

• Set end_time to $Now 
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Click Apply or OK in the Report Editor to save the new report. 

Step 5 - Run the Report 

To run the report, select the VPN Login Outcome Trend report in the Navigator panel and choose Run > 
Report with defaults from the right-click menu to run and view the report. 

The report will now have three charts each showing a different slice of the data: 

• Number of login attempts 

• Number of failed logins 

• N umber of successful logins 
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Chapter 15: Building Trends 

A trend is an ArcSight resource that defines how and over what time period data are aggregated and 
evaluated for tendencies and patterns. A trend executes a specified query on a defined schedule and 
time duration. 

The ArcSight trends engine evaluates source data for trends based on: 

• Event conditions, such as 

■ Numberof worm outbreaks 

■ Incident time-to-close 

■ Numberof cases closed 

• Common network elements, such as 

■ Operating system 

■ Business role 

■ Regulatory compliance relevance 

T rends can be used as the primary data source for a report, or used as the data source input to another 
query which is then used in a report (perhaps along with other queries or trends). 

Building trends is a component of ArcSight Reporting resource tools. Be sure to start with "Building 
Reports" on page 371 for an overview of all reporting tasks and tools, and "Understanding the Reporting 
Workflow" on page 371 to see how trends fit in to the process of creating a report. 


How T rends Work 

A trend references a query, specifies a schedule on which the query automatically triggers, and 
provides mechanisms for efficiently storing, viewing, and leveraging the trend results for reporting. The 
trend results are stored in a trend table in the ArcSight database and can therefore be queried. 

You can set trends to run indefinitely or to end at a specified date and time. A trend can start retrieving 
historical data from logs, start with current events, or at some specified time in the future. You can also 
specify advanced options on how and when to build tables and store data. 

After trend data is collected, you can view the results in the Data Viewer table and generate a trend 
report that displays the results in tables and graphs. 
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GuSlSI 

3. Create report that 
consumes query data 
and binds it to a template 


Depending on the data gathered by the base query, the trend is either snapshot trend or an interval 
trend. 








2. Define trend 
parameters 






Snapshot T rend 

A snapshot trend uses a query that operates on a fixed moment in time, for example, to gather 
information about assets on your network. Snapshot trends are built from queries based on assets, 
cases, or notifications. For example, snapshot queries and the trends built from them would be used to 
determine metrics such as current number of assets, number of systems with a particular operating 
system, or number of systems with particular vulnerabilities. A snapshot trend operates on data in the 
current moment in time, and only collects data going forward. Therefore, you cannot use trends to 
answer the question, “how many assets were in this zone a month ago?” You can use trends to collect 
data from this point forward, however, and in a month from now, you have a month's worth of data 
telling you how many assets were in this zone at regular intervals over the last month. 


Interval Trend 

An interval trend uses a query that operates on events that happen over a specified time window. For 
example, the trend gathers information about how many events of a particular description occurred 
daily over a 6-month period. 

Interval trends are event based. For example, an interval trend using a base query with a time window 
could gather information to determine the number of login attempts in the past hour. You can refresh an 
interval trend manually as needed by selecting the trend in the Navigator and selecting Refresh on the 
right-click context menu. 


Query-Trend Relationships in Reporting 

A base trend is made of one query. T rends can be used as the primary data source for a report. Or, a 
trend based on one query can be used as the data source to another query that further refines the initial 
query result. A collection of trend queries (queries that use trends as their data source) can provide 
focused views of a data set, which can then be fed into a single report or multiple reports. 
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Choose stock or custom templates for 
reports to define display of query and 
trend data In a report. Templates specify 
which data shows up. visual elements 
used (tables, charts, graphs), layout, 
report output file format, and more. 

Create reports to bind data results from 
queries and trends to templates. Use 
report definitions to control which data is 
displayed and how. 

You can create queries to slice the data 
captured In a trend. (For example, create 3 
new queries. Each queries on the same 
trend but captures a different slice of the 
data: login attempts, successes or failures) 


Trend uses the base query, and triggers 
it on a schedule (for example, hourly) 

Base Query (for example, base query 
could return a count of all VPN logins 
attempts, success, and failures) 


For example, you could create a trend called “VPN Logins Outcome - Hourly” that references a query 
that returns all VPN login attempts, successful logins, and failed attempts. You could schedule the 
trend to run hourly. You can use this base trend directly in a report. 

A more powerful approach would be to refine further the data results by creating three new trend 
queries, each of which takes the base trend as its data source, but then sets further conditions on the 
query data to return one specialized slice of the results. One query could return only login attempts, 
another only successful attempts, and another only failed attempts. You could then draw on four 
queries in a single or multiple reports to show different views of the data. (The base query would show 
all types of login events, and the other three would show the focused views.) 

A single query or trend can feed data into multiple reports, and a single report can capture data from 
multiple queries and trends. 

The ability to automate and refine queries by feeding them into trends and vice versa, along with the 
flexibility in populating reports, solves many typical enterprise security reporting challenges. You can 
build a trend that gets a daily event count, feed the trend into a query that sums up the daily counts to 
get a monthly event count, and even feed that monthly count query into another trend and so forth. 
Managed Security Service Providers (MSSP) can tier query-trend approaches to create focused reports 
for multiple customers built from what are initially broad range queries. 


Building a Trend 

Before you begin building a trend, make sure that you have a query defined that captures the data on 
which to build a trend. See "Building Queries" on page 301 if you need more information. 

Note: For a query used in a trend, the query and associated schema referenced in the trend are set 
at the time the trend was created. After the trend is created, you can modify some elements of the 
query if they do not affect the trend. For example, you can add or remove columns in the query if 


HP ESM (6.9.1c) 


Page 429 of 1106 




ArcSight Console User's Guide 
Chapter 15: Building Trends 


the related trend does not depend on them. Such modifications made to a referenced query are not 
reflected in the trend. If you modify aspects of the query that a trend depends on, the trend is 
disabled. 


Navigating to Trends 

In the Navigator panel, select the Reports resource from the drop-down menu and click the Trends 
tab. Trend groups (folders) are organized according to users. 


Navigator 

ri 1 ? x 

Resources 

Packages Use Cases 

Reports 

Ctrl+Alt-m ▼ 


| Reports | Trends Queries | Templates | Archives 

E) 10 Trends 

a C l ~l 

Shared 

IE) & Trends 

+• 0 ArcSight Administration 
+ 0 ArcSight Foundation 
+ 0 ArcSight Solutions 
ED 0 Downloads 
ED IZ!^ Personal 

+ 0 admin's Trends 
+ 0 admin2's Trends 
+ 0 admin3's Trends 
+ 0 jingt's Trends 
+ 0 op’s Trends 
+ 0 Public 


Creating a Trend 

Caution: Do not exceed more than 10,000 resources in a group. 

As a general rule, it is best to create new content under an individual folder. The high-level steps for 
creating a trend are as follows: 

1. Expand the Trends navigatorto display the trend groups. Right-click a trend group (folder) and 
select New Trend. 

2. In the edit panel, define trend attributes. At a minimum, fill in the required values (red asterisks) on 
the Attributes tab as described in the Trend Attributes" topic. 

3. Verify the trend schema represented by the selected Data Fields is appropriate. 

4. Test the trend schema to make sure it is returning the expected data as described in " Testing a 
Trend". 

5. Define a trend schedule as described in "T rend Schedule". 

6. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 
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7. Click Apply or OK to create the new trend. 


Caution: Do not click Apply or OK until you have defined the required values in the Trend 
section (trend name and query to use) and the trend schema in the Data Fields section of the 
Attributes tab. When you commit changes to the trend, the query and the schema are set and 
cannot be edited. If you decide to use a different base query or need to make a change to the 
schema, delete the trend and start with a new trend. 


Note: A trend uses a “snapshot” version of the query as its data source. After you have used a 
query in a trend, you can modify some elements of the query if they do not affect the trend. For 
example, you can add or remove columns in the query if the related trend does not depend on 
them. Such modifications made to a referenced query are not reflected in the trend. If you 
modify aspects of the query that a trend depends on, the trend is disabled. 


Defining Trend Settings 

Use the Trend Editor to build a new trend or edit an existing one. 

Trend Attributes 


The following fields in the Trend section are required attributes to specify when creating a trend. 

Trend Attributes 


Field 

Description 

Name 

Name for the trend. Spaces and special characters are OK. The name you enter here is 
the alias that appears in data source pick lists in other editors. 
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Trend Attributes, continued 


Field Description 

Query 

Specifies the query that this trend uses. 

If you are creating a new trend, use the Query drop-drown menu to select a base query as 
the source data for your trend. See "Building Queries" on page 301 for information about 
queries. 

Trends tend to use up system resources, so make your queries for trends as refined as 
possible. 

Caution: 

. After the trend is created, you can add columns to the base query, but columns added 
to this query after the trend is created are not used by the trend. You can remove 
columns from the base query that are not used by the trend. However, you must create 
a new trend and select that modified query. 

• The Trend table has a limitation in that the table stores only a single element for Group 
variables (for example, GetGroupsOfAssets or FormatGroupsOfAssets). Therefore, if 
you are querying an active list containing a list field of resource references, the trend 
displays only one resource reference instead of the complete list. Query viewers and 
reports do not have this limitation, and are therefore a better choice for this scenario. 

Enabled 

By default, the Enabled check box is checked. This activates the trend to begin working 
on live data as soon as the trend is created. Uncheck this box if you want to experiment 
with the trend before pushing it live. 


The following example shows a trend that uses the Events Count query as its basis. 



The Data Collection section provides default values for row limit and query duration. You can keep the 
defaults or modify as needed. 
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Data Collection Fields 


Field Description 

Trend 

Interval 

Time span over which the trend operates. The default is one hour. For example, if the query 
counts the number of logins, this setting counts the number of logins every hour. 

Row 

Limit 

Maximum number of rows of data the trend captures. 

The default number is based on the query's row limit, or 1000. The trend row limit can 
override that of the query's, without affecting the original query's row limit. 


The Advanced section provides optional settings to offset trend data collection and refresh trend data 
at a specified point in the future. By default, the offset and refresh values are set to None. You can 
keep the defaults or modify as needed. 


Advanced Fields 


Field Description 

Offset 

Collection 

By 

Delays trend data collection by the time period specified. Offsetting trend data collection 
time enables you to compensate for events that arrive to the Manager late, either from a 
time zone lag or other data collection lag. Trend data collection starts after the time 
delay entered here. 

Enter a time delay and select Hours or Minutes from the drop-down menu. The default 
offset is None. 

Refresh 

Data 

After 

Triggers the system to automatically re-evaluate the query data at a later time to capture 
any additional events that may have come in late. 

Enter a refresh interval and select Hours or Minutes from the drop-down menu. The 
default refresh is None. 

Note: The Manager supports late arrival of events. For example, a SmartConnector can 
send a batch of events later if it is falling behind. Consider explicitly scheduling a refresh 
of trend data only if SmartConnectors frequently lag behind in sending events to the 
Manager. If SmartConnectors rarely go down and are generally on time delivering 
events, there is no need to set this option. 

Caution: Automatic data refreshes can be resource intensive. If possible, consider 
manually refreshing your trend for a special reason, such as system downtime that 
causes trends not to run on schedule. For manual refreshes, click the Refresh Trend 
Runs button on the trend editor's panel, then cancel when done. 

Partition 

Size 

Specifies the time range of partitions for this trend data, which in effect determines the 
partition size. 

The default “time slice” for trend tables is WEEKLY. That is, if the default setting is 
used, each partition would contain a week's worth of data. Partition size can be set to 
weekly or monthly. You can always modify the Partition size as needed by editing the 
trend definition. 

The Partition Size works in concert with the Partition Retention Period, described below. 
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Advanced Fields, continued 


Field 

Description 

Partition 

Retention 
Period (in 
days) 

Specifies the number of days to retain the partitions from this trend as active in the 
ArcSight database. The default is 180 days. You can always modify the Partition 
Retention Period as needed by editing the trend definition. 

Note: The Partition Retention Period works in combination with the Partition Size. The 
system makes sure you always have as much data, if not more, than you specified in 
the configuration of these two settings. Similarly for factors such as time zones and 
daylight savings time, more data (never less) is retained. For example, if the Partition 

Size is set to MONTHLY and the Partition Retention Period is 45 days, the system 
stores two months’ worth of data in two partitions. If the Partition Retention Period is set 
to 0 days, the data collected from one run of the trend is retained until the next partition is 
started. For example, if the Partition Size is MONTHLY and the Partition Retention 

Period is 0 days, then you keep one month's worth of data. Make sure that the trend 
start date is appropriate; a trend with a MONTHLY partition size, 0 days retention, and a 
start date near the end of the month would not maintain data for very long. 

Query 

Overlap 

Time 

The query overlap time is the amount of time by which the next query should overlap 
with the previous query (overlapping the tail-end of the previous query). By default, 
queries for interval trends have no gaps and overlaps. 

The default overlap is 0 (None), which corresponds to the normal non-overlapping trend 
query case. 

By setting a query overlap time, you can configure a trend to support calculations like 
trailing A/-day moving averages. The query overlap time extends the trend to include 
overlapping query ranges. 

For example, to collect moving average data over a 10 day period, you could run the 
query each day overthe previous 10 days. A query overlap time set to 0 (the default) 
would result in non-overlapping runs, such that the query would run every 10th day over 
the previous 10 days. 

On the other hand, to get an overlapping trend run, you could specify a 9 day overlap. 

With this setting, the query would run every day (1 0 day query - 9 day overlap) over the 
previous 10 days. The trend would gather data every day for days 1-10, 2-11, 3-12, and 
so forth. 

Notes: 

• Do not use queries on the event table for anything longer than a day. Queries longer 
than a day should normally only run on other trend tables to allow the query to finish 
in a reasonable amount of time. 

• This option is enabled for snapshot trends. 
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Advanced Fields, continued 


Field Description 

Imported 

Trend 

Start 

Time 

If the trend is exported without schedule start and end times, the trend start time 
specified here is used when the trend is imported. Consider using a dynamic start time 
such as $Today-lwto ensure that the trend does not use a very old start date, for 
example, a six-month old trend is yet to be imported. Otherwise, you run the risk of the 
trend not returning data because it no longer exists in the system. 

If the trend is exported without Schedule start and end times and no value is specified 
for Imported Trend Start Time, then when the trend is imported it defaults to use 
$CurrentDate as the start time. With $CurrentDate, the trend captures data starting 
from 12:00:00 AM of the current day. 

Note: The imported trend start time takes effect only if the trend is exported without 
Schedule start time. To exclude the Schedule start time from a trend upon export, set 
the package Format option to export. For information on this, see the description of the 
package Format options in "Creating or Editing Packages" on page 694. 

Imported 

Trend 

End Time 

If the trend is exported without schedule start and end times, the trend end time 
specified here is used when the trend is imported. 

If the trend is exported without Schedule end time and no value is specified for Imported 
Trend End Time, then when the trend is imported it defaults to using no end time. (With 
this setting, the trend runs indefinitely until it is manually disabled or edited to include an 
end time.) 

Note: The imported trend end time takes effect only if the trend is exported without 
Schedule end time. To exclude the Schedule end time from a trend upon export, set the 
package Format option to export. For information on this, see the description of the 
package Format options in "Creating or Editing Packages" on page 694. 


Tip: Entering data in the Common and Assign sections is optional, depending on how your 
environment is configured. For information about the Common and Assign attributes sections, as 
well as the read-only attribute fields in Parent Groups and Creation Information, see Common 
Resource Attribute Fields" on page 685. 

The Data Fields section is where you build the trend schema. This is populated automatically when 
you first select the query to use in this trend. The list shows the data fields collected by the query you 
chose. By default, all the query fields are selected for use in the trend. If you do not want to use a 
particular data field, clear (click to remove the check mark) the Use box for that item. Also, you can 
select which fields you also want to index. Indexing is done mostly for query efficiency, and 
TimeStamp is selected by default. It is helpful if the query you are using returns a large amount of data, 
and you want to run sub-queries on the data. 
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Data Fields 


Name Use Index 

TimeStamp 







— 

Attacker Address 







Attacker Asset Name 







Attacker Zone 







Device Event Category 







- 

End Time 








□ 0 


The Summary box at the bottom displays a summary of the query interval and the schedule on which it 
runs. 


Trend Schedule 

Click the Trend Schedule tab to review or modify settings for the following parameters: 

• Schedule Frequency - Specifies how often the query runs and gather data. The default is to run 
once every hour on the hour. 

• Schedule Range - The Start field for the range specifies the oldest data to get. By default, the date 
and time the trend was created is used as the trend schedule start time. Make sure this date is 
within your storage's retention period; otherwise, the trend may not return any data from the oldest 
specified date. 

By default, there is no End Date. This means that moving forward, the trend will continue to collect 
datay. 

With the default settings, this trend would collect data once every hour on the hour until it is disabled 
manually. 

A Summary of the configured schedule is shown at the bottom of the tab. 
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Trend Parameters 

The Parameters tab lets you further refine the query results in terms of row limits, time zone restraints, 
filters, and start and end times. If you set parameters in the base query used by this trend, those 
parameters show up on the Trend Parameters tab. In the Trend, you can specify default parameters. 

Then at Report building time, you can opt to run the report with the default parameters or “all 
parameters.” You can also further refine parameter details for a specific run of a report. For more 
information on specifying parameters in reports, see "Setting Default and Custom Report Parameters" 
on page 402. 

Note: Trend start/end times and row limits are used forgathering the data, and overwrite the 
start/end times and row limits set in the base query. If you do not customize the Trend Parameters, 
the defaults on this tab are used (not the start/end times and row limit on the Query General 
Attributes tab). 

For reporting on the data (after it is collected), you can set new start/end times and row limit in the 
Report Parameters tab. The report parameters prescribe only the “outbound” or publishing data 
derived from the data already collected, not the how the data is gathered. (See Setting Default and 
Custom Report Parameters" on page 402 and "Running and Managing Reports" on page 448 for 
more information.) 
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Trend Actions (Add to Active List) 

Trend actions give you the option to send specified columns (fields) in trend results to "Active Lists" 
on page 787 (see "List Authoring" on page 469). You do this by defining an Add to Active List trend 
action. On the Actions tab for a trend, you can select to send data from one or more columns in the 
trend results to a specified active list. 

Tip: Trend actions for active lists are similar to the add to active list rule action described in "Rule 
Actions Reference" on page 520. Unlike rules, however, add to active list is the only action 
available for trends, and the settings are not as fine-grained as for rules; for example, thresholds, 
number of events, time units, and soon do not apply to trend actions. 


How Trend Actions are Useful (Summary Views and 
Rules) 

The Add to Active List trend action provides another mechanism to get information from trends outside 
of (and in addition to) reports, and supports summary views of information from multiple trends. 

For example, you can build a single active list that gets updates from multiple trends (each trend 
updating different columns in the active list). Also, a single active list can receive updates and show 
information from trends as well as from other sources (for example, rules). Alternatively, you can build 
multiple active lists that get updates from a single trend. 

Perhaps most importantly, the ability to populate active lists with trend data makes trend results readily 
available for use in rules, filters, active channels, and soforth. In previous releases, trends could not be 
easily leveraged in rules and other such resources. 

Example Use Case 

Consider the following example use cases for leveraging trend results in active lists: 

• Taking Action on Event-Based Trends. Suppose an analyst wants to monitor the logins per hour 
by users based on their typical hourly login patterns and flag anything that is above a certain 
absolute threshold or more than n times a user’s previous average. 

The analyst can set up a trend to update the information in a trend table based on aggregation of per- 
user login events. The trend would have an action that updates an active list with the most recent 
results. Then, the analyst can configure a rule to update another active list when a user logs on and 
another rule to compare the current login count against what is normal for that user. Any gross 
discrepancy could be used to trigger an alarm about a possible threat. 

• Taking Action on Asset-Based Trends. Suppose an analyst wants to monitor assets by how 
vulnerable they are, and watch for “unusual activity” on especially vulnerable assets. 

The analyst can set up a trend to check vulnerability counts on assets and log the top n most 
vulnerable assets on a daily basis. The active list would have an action to update an active list. 
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Incoming events on assets would trigger rules that would check this active list against the particular 
device and, if present, trigger extra processing. 

Plan and Define Active Lists with Fields Mapped to 
Trend 

As a first step in setting up trend actions, determine which active lists the trend should populate and 
with what data. You might have existing active lists to add trend data to, or you could create new lists 
specifically for some trend results. (See "Example: Populating Active Lists with Trend Results" on 
page 441 for an example of designing an active list based on the trend fields you want to monitor.) 


Define a Trend Action 

Use the trend Actions tab to configure actions on a new or existing trend. 

To define a trend action on an existing trend: 

1. Select a trend in the Navigator, right-click and choose Edit Trend. 

2. In the Trend Editor, click the Actions tab. 

3. Select the action On Trend Run, right-click, and choose Add to Active List. 

Note: You can only use a fields-based active list in a trend action (not event-based lists). For 
more information on types of active lists, see "List Authoring" on page 469, especially the 
description of how to define dataforthe list ("Capacity (xIOOO)" on page 471). 

4. Select an active list from the dialog. 
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£ Add "Add To Active List" Acti... 


When: On Trend Run 
Add To Active List 


T° : Select a Active List 


B'B Active Lists 

B admin's Active Lists 
B B Shared 

SB All Active Lists 

Top Users With Failed Logins 
|j- B ArcSight Administration 
(J O ArcSight Foundation 
@B ArcSight Solutions 
|j|"E| ArcSight System 


The active list you select here will be updated when this trend runs. 

5. On the Add to Active List dialog, select fields from the trend (on the right side) to map to active list 
fields (on the left). 



What you are doing in this step is mapping trend column names to active list column names. All 
the “key” columns required by the active list must have trend columns mapped to them so that the 
active list entry (row) is correctly updated by the trend. However, not all of the active list value 
columns need to have trend columns mapped. Not specifying all the key columns is an error. 

6. Click OK to add the action. 
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n Trend: Top Users with Failed Lo, . 


Event Inspector | Active List: Top Users with Fai... 


Attributes | Schedule | Parameters | Actions ~ | Notes 


l Add Edit X Remove 


lAl On Trend Run [ Active ] 

9 l Add To Act, ve List 

Field: targetUserName 
Field: timestamp 
Field: COUNT_endTime 

Resource: / All Active Lists/Top Users with Failed Logins 


The action shows on the actions tab. 

Note that you could add more actions here (by selecting the On Trend Run and clicking Add), 
edit this action, or remove it. 

You can add multiple actions to a single trend (that is, configure a single trend to update particular 
columns in multiple active lists with trend results). 

7. Click Apply or OK to save the Trend Editor to save your changes. 


Example: Populating Active Lists with Trend Results 

Suppose you want to monitor top failed user logins daily and send that data to an active list. (You could 
then configure rules to interact with the active list and trigger an alarm based on some threshold; for 
example, a single user with a certain number of failed logins per day.) To do this, you could create an 
active list with fields that map to a trend that monitors “top users with failed logins”. To see the fields in 
this trend: 

• In the Navigator, choose Reports, click the Trends tab, then navigate to //Trends/Shared/All 
Trends/ArcSight Foundation/Intrusion Monitoring /SANS Tops Reports/Top Users 
with Failed Logins per Day. 

• Select the trend, right-click and select Data Viewer from the context menu to display the trend 
results in the Viewer. Note the columns included by default in this trend table (Timestamp, Day, 
User Name, and Number of Failed Logins). 

You would need to have one or more of these fields in your active list to capture relevant data in the list, 
as we’ll show in the next section where we define the trend. 
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To continue with the example, we could create a fields-based active list with fields that map to the trend 
“Top Users with Failed Logins per Day” as follows. 



Name 

Type 

Key Field 

User Name 

String 

This is the key field. 
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Name 

Type 

Key Field 

Day and Time 

Date 


Number of Failed Logins 

Long 



When the trend runs, it populates the active list with data on top users with failed logins by user name, 
and list the count of failed logins for each user along with date/time information. This active list could be 
used as the basis for rules, filters, active channels, and so on. 



Notes on Trend Action Behavior 

• When it is mentioned that a trend “updates” the active list entry (row), what is meant is that either 
the row is inserted if it is not currently present, or if it is present, it is updated. Note that the update 
only populates / overrides the columns specified by the trend column mapping. Any other active list 
columns that do not have trend column mappings preserve their existing values. What this means is 
that it is possible for a single active list to be updated by multiple trends, each updating different 
columns. The active list is appropriately locked during read-modify-write cycle to avoid data 
corruption. 

• A trend can be executed under a variety of circumstances, including refresh and backfill. However, 
for purposes of updating the active list, only the most recent data are entered into the active list. For 
example, no backfill data are added to the active list. A trend refresh run does not normally cause 
the active list to update, with the only exception being if it is the most recent data being refreshed. 

• This trend action never removes entries from the active list. If the you want to have entries 
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removed, use the active list's TTL (time-to-live) to have them expire. (For information on the TTL 
setting described in "Creating an Active List" on page 470.) 

Editing a Trend Action 

1 . Navigate to the trend you want to edit. 

2. Click the trend Actions tab. 

3 . Select the action you want to edit and click Edit. 

4. On the Add to Active List dialog, make changes to the field mappings as needed and click OK. 

5. Click Apply or OK to save the Trend Editor to save your changes. 

Removing a Trend Action 

1 . Navigate to the trend you want to edit. 

2. Click the Trend Actions tab. 

3 . Select the action you want to remove and click Remove. 

4. Click Apply or OK to save the Trend Editor to save your changes. 


Testing a Trend 

When you are creating a new trend or modifying an existing one, you might want to test it first to 
determine if you have defined the trend properly to return the data you want. To test the results of the 
schema you selected, make sure you are on the Schedule tab for the trend you want to test and click 
Test. Here are navigation instructions in case you are not already on that tab: 

1. Navigate to Reports > Trends in the Navigator panel, and select the trend you want to test. 

2. Do one of the following: 

■ Right-click and choose Test from the context menu 

Or 

■ Click Edit Trend to bring up the Trend editor in the Inspect/Edit panel. Within the editorforthe 
selected trend, click the Test button at the bottom of any of the editor tabs (Attributes, Schedule, 
Parameters, and so forth). 
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This procedure evaluates the current event stream for matching events and populate the Test Trend 
pop-up dialog. The message “Success: x rows” at the bottom of the dialog tells you how many rows 
your trend returned. 

The Test Trend sample shows a maximum of 25 rows. For interval queries, the sample also shows 
data from, at most, the last hour. If there is no match for the data, the trend returns no rows. This may 
mean that your current event query data contains no matching events or resources, or it may mean that 
your query needs to be refined. 


Viewing Trend Data 

1. Navigate o Reports > Trends in the Navigator panel, and select the trend for which you want to 
view the data. 

2. Right-click and select Data Viewer from the context menu. This launches the Trend Data Viewer 
in the Viewer panel and shows the query results. As with other ArcSight event viewers, you can 
select an event or group of events, right-mouse click, and access various tools from the context 
menu to use for further investigation. 


Viewer 



O’ ? 

' X 

(5*1 ArcSight User Status \ (S*| Latest Events By Priority 

(jj VPN Logins Outcome - Hourly Details 
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J Time 
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13 



27 Jul 2006 12:48:26 PDT 

13 
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54 
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13 
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22 
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8 


28 Jul 2006 08:48:26 PDT 

80 

/Attempt 

9 


28 Jul 2006 08:48:26 PDT 

10 

/Failure 

8 


28 Jul 2006 08:48:26 PDT 

38 

/Failure 

9 


28 Jul 2006 08:48:26 PDT 

12 

/Success 

8 


28 Jul 2006 08:48:26 PDT 

42 

/Success 

9 


28 Jul 2006 09:48:26 PDT 

23 

/Attempt 

9 


28 Jul 2006 09:48:26 PDT 

78 

/Attempt 

10 


28 Jul 2006 09:48:26 PDT 

13 

/Failure 

9 


28 Jul 2006 09:48:26 PDT 

35 

/Failure 

10 


28 Jul 2006 09:48:26 PDT 

11 

/Success 

9 


28 Jul 2006 09:48:26 PDT 

42 

/Success 

10 



■ If you are viewing a trend that was created in a previous ESM release, you may get an 
error message about inconsistencies with data types concerning the Timestamp and Char 
data types. This error message is seen if your base query is getting data from a multi- 
mapped active list or session list with Timestamp fields. If you are getting this error re- 
create the trend using the same base query. You should then be able to view the trend’s 
data without errors. 

■ If you recently migrated resources, be aware that resource imports and exports do not 
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include trend data. Be sure to run the trend to get new data before attempting to view it, 
query it, or run reports on it. 


Refreshing Trend Data 

In addition to relying on the scheduled execution of a query according to its interval trend schedule, you 
can manually refresh the trend data at any time by using the trend refresh feature. 

To refresh a trend table: 

1. Do either of the following: 

■ Click the Refresh Trend Runs button on the trend’s Attributes tab for the selected trend. 

■ In the Navigator, select a trend you want to refresh, right-mouse click and select Refresh trend 
runs... from the context menu. 

This opens the Refresh Trends dialog which displays the trend query start times of the selected 
trend. 



2. Select a period consisting of a start and end time stamp under Show Trends From, select one or 
more of the trend runs under Choose Trend Runs, and click OK to refresh the selected trend 
runs. 

This executes the base query and refreshes the trend table on the selected runs. Trend refresh 
allows you to manually re-run a trend to compensate for events that arrive to the Manager late, 
either from a time zone lag or other data collection lag. 


Note: Also, you can configure data collection to be offset by some time period to compensate 
for late arrival of events. For more information, see Advanced settings for trends in this Help 
topic. 
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Editing or Viewing a Trend Definition 

1. Navigate to Reports in the Navigator panel, select the Trends tab, and select the trend you want 
to modify. 

2. Double-click the trend, or right-click and select Edit Trend from the context menu. This launches 
the Trend Editor in the Inspect/Edit panel, and shows the definition for the selected trend. 

3. Edit the schedule, advanced settings, and so forth as needed and click Apply or OK to save your 
changes. (Click Cancel to exit the Trend editor without saving changes.) 


Note: The query used for a trend and the schema are set at the time the trend was created, 
and cannot be edited later. If you decide to use a different base query or need to make a 
change to the schema, delete the trend and start fresh. You can edit the base query by adding 
columns to it, but columns added to the query after the trend is created are not used by the 
trend. You can remove columns from the base query that are not used by the trend. However, 
if you want to add or remove columns (data fields) in the query that are used in the trend, 
create a new trend and select that modified query. 


Using a Trend in a Query or Report 

T rends can be used as the primary data source for a report. Or, a trend (based on one query) can be 
used as the data source to another query that further refines the initial query result. 

For more information on next steps, see Building Queries and "Creating Reports" on page 379. 


Disabling or Enabling a Trend 

To disable an enabled trend, right-click the trend and choose Disable Trend. 

To enable a disabled trend, first review the trend’s start date on the trend editor’s Schedule tab. By 
default, the start date is when the trend was created. If the start date is way in the past, for example 
over six months ago, note that the trend will try to backfill the data from that schedule. This will impact 
performance, and if the data is no longer available, you may not see any results. Before enabling an old 
trend, choose its start date that will realistically pull the data you need. 


Deleting a Trend 

To delete a trend, right-click it and choose Delete Trend. If the trend is being used in a query that is in 
turn being used in a query viewer, you will see a message that states “Dependent Resource Warning.’ 
You can force the deletion by clicking OK. 
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Reports 

This topic describes how run and manage various types of reports. Information is included on working 
with ad hoc reports, archived reports, focused reports, delta reports, and scheduled reports. The topic 
on Running Reports includes detail on setting report parameters at run-time. Also included is 
information on how to import and export reports, and work with report groups. 


Running a New or Archived Report 449 

Running a Delta Report 453 

Running Reports from a Grid View 454 

Running Large or Complex Reports 457 

Moving or Copying a Report 458 

Managing Report Groups 458 

Archiving and Scheduling Reports 460 


Defined reports are usually run on a schedule and their output archived automatically. But there are also 
many occasions when you need to run the basic report types directly. 

See also "Building Reports" on page 371 for an overview of all reporting tasks and tools, including how 
to develop new reports, queries, or trends using a provided template. 

Tip: Best practices 

• By default, you can run up to four reports at the same time. The number of reports allowed to 
run simultaneously is a configurable parameter on the Manager in ARCSIGHT_ 
HOME/config/server. properties through the setting 

report.maxconcurrentinteractivereports = <number> 

If the number is exceeded, each report will be placed in queue and will be run in the order they 
appear. Refer to the ESM Administrator’s Guide’s Configuration section, topic on Managing 
and Changing Properties File Settings. 

. If you are having problems running a large or complex report, refer to the topic “"Running Large 
or Complex Reports" on page 457. 

• If you are having problems running PDF reports with Asian fonts, seethe topic Generating 
Reports with Asian Fonts " on page 410. 

• If a report does not show up as expected, try restarting the Console and running the report 
again. 
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Running a New or Archived Report 

When you run reports, you most often use an existing report definition; or a copy of a report already 
defined, run, and archived for later use. Defining new reports is a separate topic described in Creating a 
Report. Please see also "Archiving a Report" on page 460 and "Scheduling Report Tasks" on page 463. 

Tip: If you are having problems running a large or complex report, refer to the topic "Running Large 
or Complex Reports" on page 457. 

If you are having problems running PDF reports with Asian fonts, see the topic 'Generating 
Reports with Asian Fonts " on page 410. 


Running a Defined Report 

To run a defined report: 

1. In the Navigator panel, choose the Reports resource tree. 

2. Click the Reports tab. 

3. Navigate the Reports tree, and select the report you want to run. 

4. Right-click the selected report to bring up the Context menu, and select Run with one of the 
report-type options described below: 


Report 

Type Description 

Report 

Run the report, but with the opportunity to edit its current parameters (if present). If 
you choose this option, the Report Parameters dialog is displayed before the report is 
run. You can override the default report parameters for just this run of the report. 

Report 

with 

defaults 

Run the report directly, using its defined parameters, if present. Forfocused reports, 
this is the only option. 

Delta 

report 

For reports based on bar charts, run the report after selecting another report as the 
comparison for the delta. 


5. In the Report Parameters dialog, enter settings in Common Parameters and Custom Parameters 
sections as appropriate. 
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Note: Use the dialog box to override any predefined parameters for the report, but only for this 
particular run. 

Report Parameter Values 


Common 

Parameters 

Description 

Report 

Format 

From the drop-down menu, select one of the following report output formats: 

■ pdf - Outputs the report as an Adobe PDF file. 

■ xls - Generates a Microsoft Excel file for tables and charts. 

Note: XLS reports you run with Microsoft Excel 2002 might have page break 
format problems (misalignments, column spillover) due to default page size 
settings in Excel. To correct this problem, open the resulting XLS report in 
Excel, choose File > Page Setup from the menus, change the paper size to 
Letter (instead of Legal), and click OK to save your changes. The report has 
the appropriate page break formatting. This problem does not occur in newer 
versions of Microsoft Excel. 

Note: XLS report formats display speedometer charts as pie charts. This is a 
known limitation in Microsoft Excel. 

■ rtf - Produces a rich-text format document. 

■ csv- Creates tabular data as a list of comma-separated values. 

Note: Reports generated in CSV format are not the full equivalent of exports 
to other formats like PDF or HTML. CSV format is useful for loading report 
data into a spreadsheet for further manipulation. Since CSV is meant to 
contain tabular data, only the table data of a report is normally useful. 

Therefore, ArcSight exports only the table data portion of a report to CSV 
format, ignoring any other report information such as charts or text, including 
report titles. 

■ html - Generates the report in a Web page displayed by the default web 
browser. 

Your selection affects your choice for e-mail formats. See description for Email 
Format, another report parameter, in this table. 

The output file is created at report runtime and is stored in the Archived Report 
Group corresponding to the report’s group. See the Archives tab on the report’s 
edit panel. 
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Report Parameter Values, continued 


Common 

Parameters 

Description 

Page Size 

From the drop-down menu, select a paper size. 

Run as 

User 

Run the report as a particular user. From the drop-down menu, select the user 
name by which you would like to run the report. 

For example, this option would allow an administrator for a Managed Security 
Service Provider (MSSP) to run report for a customer. The administrator would 
need write permissions to the user. 

Note: This option is not available for case reports. 

Email to 

You can have the report sent as e-mail to one or more ArcSight users. 

From the drop-down menu, select the Console users to whom the report should 
be e-mailed. The selection list is read from the Users resource). 

The recipient will only see his or her user name in the To field even if there are 
multiple recipients for this report. 

Handling empty reports: If you are emailing reports, empty reports will also be 
sent. This is determined by the server property, report, scheduler. notify_ 
empty_reports, which is set to true. If you don’t want empty reports to be sent, 
add the property to the server . properties file and change the setting to false. 
Follow the instructions in the ESM Administrator’s Guide on how to edit this file. 
The details are in the guide’s Configuration chapter, topic on Managing and 
Changing Properties File Settings. 

Email 

addresses 

Send the report to one or more comma-separated or semicolon-separated e-mail 
addresses. This option does not require the recipient to be an ArcSight user. 

Note: The recipient will only see his or her e-mail address in the To field even if 
there are multiple recipients for this report. 
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Report Parameter Values, continued 


Common 

Parameters Description 

Email 

Format 

Specify how the report is to be accessed by the recipient. 

■ Choose Send URL if you want to point users to the report. Use this option if 
the report is large and is saved (archived) to a network-accessible location 

You can provide URLs for all report formats: PDF, XLS, RTF, CSV, and 

HTML. 

■ Choose Attach Report if you want to send the report directly to the user's e- 
mail box. 

You can only attach PDF, XLS, RTF, and CSV report formats. 

■ Choose Attach Compressed Report if you want the PDF, XLS, RTF, or 

CSV report to be compressed (zipped) first before mailing. 

■ If you want to display the report on the e-mail message body so that the 
recipient immediately sees the report upon opening the e-mail, select Embed 
Report. 

You can only embed CSV and HTML report formats. 

Note: If you select an email format for an unsupported report format, the 
notification automatically uses the URL. 

Email 

Subject 

Specify the subject on the notification. Defaults to the report’s Name attribute 
(denoted by $ReportName). If you want to use a customized subject, type the 
text either in addition to the default or replace the default text entirely. 


6. Click Save Output if you want to save a copy of the report to disk. 

If you select this option, additional archive parameters are displayed. You can override any of 
these defaults also. You can: 

■ Change the group in which to archive the report. 

■ Provide a report name other than the default. 

■ Specify an expiration time at which to discard the report from the archive. By default, the report 
is saved in the archive for 6 months from the time it was run. 


Tip: You can use Velocity template references for fields that accept text, such as Archive 
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Report Name and Archive Report Expiration Time. See "Velocity References for Reports" 
on page 1097 for details. 


7. In the Report Parameters dialog box, enter new parameters if available and appropriate. 

8. Click OK. 

9. In the options dialog box click Open to open the report, Save to choose a location and format for 
the output file, or Cancel to quit. The Save option applies to all but HTML files. 


Displaying an Archived Report 

1. In the Navigator panel, choose the Reports resource tree. 

2. On the Archives tab, right-click a report and choose Show Archive Report. 


Running a Delta Report 

Delta reports show the difference between two sets of parameters within a single comparative report. 
Defining new reports is a separate topic described in "Creating or Editing a Report" on page 379. In 
order to run a delta report, you must first have an existing report. You can also set up a delta report to 
run and archive on a schedule. See also " Archiving and Scheduling Reports" on page 460 and 
"Scheduling Report Tasks" on page 463 for more information. 

1 . From the Navigator panel drop-down menu, select the Reports resource. 

2. On the Reports tab, right-click a report and choose Run, then Delta Report. 

Tip: The Run Delta Reports option is available only for reports with a bar, 3D bar, or inverted 
bar chart. The report must contain one chart only (no tables). The X and Y axis must have at 
least one column each, and no Z-axis. The chart must not have any summary function or top 
N filter applied. For more information about creating reports with these characteristics, see 

the "Binding Data to the Report" on page 385. 

3. Select the parameters for the first report, select a report format from the drop-down menu, and 
click OK. 

4. Select the parameters for the second report and click OK. 

5. Select Save Output if you want to save a copy of the report to disk. 

If this option is selected, additional archive parameters are displayed. You can override any of 
these defaults also. You can select a group in which to archive the report, provide a report name, 
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and specify an expiration time at which to discard the report from the archive. By default, the report 
is saved in the archive for 6 months from the time it was run. 


Tip: You can use Velocity template references for fields that accept text, such as Archive 
Report Name and Archive Report Expiration Time. See "Velocity References for Reports" on 
page 1097 for details. 


The Report Viewer appears and displays the delta report. The report shows the difference between two 
sets of parameters used on a single report. The report also shows the data for each of the parameters. 


When a delta report is run or archived, an internal event is sent to the ArcSight Manager. This event 
contains the following data fields and values: 


Delta Report Event- 
data Field 

Description 

Event Name 

Delta Report Generated (Report: <ReportName>), where <ReportName> is 
the name of the report. 


Rules can be created using the delta report data fields. 


Running Reports from a Grid View 

You can define reports on-the-fly based on specific events in grid views in the Viewer panel. 


Running a Rule Context Report 

In the grid view, a correlation event is marked with a Flash icon ( & ). A correlation event is generated 
by the system when a rule finds matching base events and triggers an action. The report generated by 
the following procedure includes the correlation event and the associated base events that caused the 
rule to trigger. 

1. In a grid view, select a correlation event. 

2. Right-click it and choose Report > Rule Context Report. 

3. In the Report Parameters popup, enter the time, in minutes, before and afterthis event's 
occurrence and click OK. 

4. You can choose to Open or Save the report file. 

A report showing the correlation event and the events that triggered the rule appears. 
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Running an Event Context Report 

The report generated by the following procedure includes the events that occurred within a specified 
time before and after the event you select in the grid. 

1. In a grid view, select an event. 

2. Right-click and choose Report > Event Context Report. 

3. In the Report Parameters popup, enter the time, in minutes, before and afterthis event's 
occurrence and click OK. 

4. You can choose to Open or Save the report file. 


Running a Channel Report 

The report generated by the following procedure includes all events in the channel, not just the selected 
event. However, you do need to select an event in the grid view to select the channel and get the 

Report > Channel Report menu option. 

1. In a grid view, select an event. 

2. Right-click and choose Report > Channel Report. 

3. The Report Parameters popup is displayed, and its fields are automatically populated with the 
event data fields. You can enter new parameters to limit or extend the report. 

4. Choose a Report File Format from the drop-down menu. 

5. Click OK. 

6. You can choose to Open or Save the report file. 


Running a Query Viewer Report 

After you run a query viewer, you can generate a simple report containing the results. Reports initiated 
from query viewers are provided for convenience as a quick way to share the result data. Query viewer 
reports are limited to displaying data from the single query covered by the query viewer and retain the 
format of the chart or table in which the query viewer results are displayed. 

Tip: On row limits 

The report display format is based on the display chosen for the query viewer result. For example, 
if you chose to view query data as a pie chart, the generated report shows the same pie chart view. 
To generate a report showing results for the same query as a bar chart or table, you must then re- 
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run the query viewer (<Query Viewer> > View Data as) in one of those formats, and then generate 
the report from that view. 

The report contents might not include as much data as the query viewer result shown in the 
Console for these reasons: 

• Reports on pie charts and bar charts have a default row limit of 25 up to 99 rows as the 
maximum. This is user-configurable. You can set a higher or lower row limit on the Report 
Parameters dialog you get when you run the report. (See the procedure below.) 

• Reports on tables can accommodate up to 10,000 rows. 


To generate a report on a query viewer: 

1 . Right-click the query viewer results table or chart (anywhere in the Viewer panel) and click 

Report. 


Viewer 

? X 

IJI Event Counts by Hour of Day: PieChart 

Query: Event Counts Trend Query 

24 shown / 24 matches 

Last Update: 4 Jun 2008 13:39:03 PDT 

§1 

Filter: No Filter 



HourOfDay Count(Event ID) 


■12 

24190 

□n 

25067 

□10 
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□9 
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□ 6 

24712 

□ 5 

23568 
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□ 3 

23179 

□ 2 

22062 

□ l 
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□ 23 
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□ 22 

23515 

□ 21 

20825 

□ 20 
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22922 
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23025 

□ 17 

20111 

□ l6 

623 

□ l5 

0 

■ 14 

0 

□ 13 

0 


Investigate ► 

Tools ► 


Hide Series [10] 


Report.. 


© Refresh 


Help 



6/3 12 : 39:03 - 6/4 13 : 39:03 


a - 


2. Specify the options on the Report Parameters dialog or take the defaults and click OK. For more 
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help on setting report parameters, see "Running a New or Archived Report" on page 449. 


Tip: If you click Save Output on the Report Parameters dialog, you get additional options for 
setting the archived report under the Save Output Parameters section. 


3. When the report is ready, a dialog gives you the option of opening it to view it now or saving it to a 
location you specify through a file browser. 

Choose Open to view the report or Save to save it in a specified location. 


Running Large or Complex Reports 

A very large report (for example, a 500 MB PDF report) might require so much virtual machine (VM) 
memory that it can cause the ArcSight Manager to crash and re-start. To prevent this scenario, you can 
set up the Manager to expose a special report parameter for generating the report in a separate process. 
The separate process has its own VM and heap, so the report is more likely to finish. Even if the 
allocated memory is still not enough, the report failure will not crash the Manager. This option must be 
set up on the Manager to expose it in the ArcSight Console report parameters list. 

The default server property is report . canarchivereportinseparateprocess=false. You need to 
change this to true. 

The steps are as follows: 

1. Refer to the ESM Administrator’s Guide. In the Configuration chapter, follow the instructions in the 
topic on Managing and Changing Properties File Settings, Editing Properties to add the property. 
Make sure to restart the Manager after making changes. 

After setting the property to true, you will now have the ability to set the report parameter on the 
ArcSight Console. 

2. On the ArcSight Console, open the report that you want to run in a separate process in the Report 

Editor, and click the Parameters tab. Set the parameter Generate Report In Separate Process 
to true. 

3. Run the report. The report should run like a normal report, but it does not consume the resources of 
the Manager VM. See notes below for more information. 


Tip: Here are more tips about the property described in this topic. 

■ If a report is saved with the parameter set to true, the report is archived as a separate 
process even if the property report, canarchivereportinseparateprocess in 
server . properties is set back to false later on. 

■ This property indicates whether reports are allowed to be archived in a separate process. 
When this property is set to true, the option to run and archive the report in a separate 
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process is available in the common properties in the Report Editor. Setting the value to 
true causes the report to be archived in a separate process. The benefit of archiving a 
report in a separate process is to avoid consuming Manager resources and potentially 
crashing the Manager. 

■ Use this parameter only in special circumstances as needed. For example, if archiving a 
report is causing the Manager to crash then you might apply this solution. Generally, if a 
report contains tables that have more than 500,000 rows with 4 or 5 columns per row it is 
likely that the report is large enough over-tax the Manager VM memory. However, the 
threshold may vary depending on the Manager heap size and the details and data in the 
tables so it is best to only resort to this solution if you encounter problems archiving a 
particular report. 


Moving or Copying a Report 

You may need to move or duplicate report definitions to better organize your work, to publish your 
definitions, or to make editable copies of enterprise reports. 

1. In the Reports resource tree, navigate to a report and drag and drop it into another group. 

2. Select Move to move the report, Copy to make a separate copy of the report, or Link to create a 
copy of the report that is linked to the original report. 

If you select Copy, you create a separate copy of the report that is not affected when the original report 
is edited. If you select Link, you create a copy of the report that is linked to the original report. 
Therefore, if you edit a linked report, whether it be the original or the copy, all links are edited as well. 
When deleting linked reports, you can either delete the selected report or all linked report copies. 


Managing Report Groups 

Report groups store similar reports, and control access to reports, using access control lists (ACLs). 
When editing access control permissions, permissions given to a report group are also given to all 
groups and reports within that group. 

Groups and reports can be managed with drag and drop functionality. You can move or copy groups and 
reports into other groups from the Reports resource tree. If a group is deleted, the reports within that 
group are also deleted. 

Caution: Do not exceed more than 10,000 resources in a group. 
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To create a report group: 

1 . On the Navigator Panel drop-down menu, select Reports. 

2. In the Reports resource tree, right-click a group and select New Group. 

3. Enter a report group name in the “name” text field. 

4. Press Enter. 

To rename a report group: 

1. In the Reports resource tree, right-click a group and choose Rename. 

2. In the “name” text field, rename the group. 

3. Press Enter. 

To edit a report group: 

1. In the Reports resource tree, right-click a group and select Edit Group. 

2. In the Report Editor, edit the Name and Description text field. 

3. Click OK. 

To move or copy a report group: 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 

1. In the Reports resource tree, navigate to a group and drag and drop it into another group. 

2. Select Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you select Copy, you create a separate copy of the group that is not affected when the original group 
is edited. If you select Link, you create a copy of the group that is linked to the original group. 
Therefore, if you edit a linked group, whether it be the original or the copy, all links are edited as well. 
When deleting linked groups, you can either delete the selected group or all linked groups. 

To delete a report group: 

1. In the Reports resource tree, right-click a group and select Delete Group. 

2. Click Yes in the dialog box. 
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Archiving and Scheduling Reports 

You can schedule reports to archive automatically with the scheduler. The scheduler accepts multiple 
schedules by year, month, week, day, or hour. For example, a report can be archived automatically on 
the first of January at both 5 AM and 6 PM. The scheduler also sends e-mail notifications informing 
users when a scheduled report has been archived. Report Archiving is a component of ArcSight 
Reporting resource tools. Be sure to see 'Building Reports" on page 371 for an overview of all reporting 
tasks and tools. 

Related topics: 

• "Archiving a Report" below 

• "Scheduling Report Tasks" on page 463 

• "Editing a Report Archiving Schedule" on page 466 

• "Editing Report Archiving Parameters" on page 467 

• "Deleting a Report Archiving Schedule" on page 467 

• "Viewing an Archived Report" on page 466 


Archiving a Report 

To archive a report: 

1 . I n the Reports resource tree, select the Reports tab. 

2. On the Reports tab, right-click a report and select Schedule for Archiving > Report. 

The report editor opens at the Jobs tab. 

3 . Click Add on the Jobs tab, and choose either Schedule Report or Schedule Delta Report. 

Tip: The option to Schedule a Delta Report job is available only for certain types of event- 
based reports, and only when a previously-run report is available in the archives. Otherwise, 
clicking Add on the Jobs tab takes you directly to the job scheduler to schedule a standard 
report. For more information about Delta reports, see "Running a Delta Report" on page 453. 

4. Entera name and description forthejob. 

5. In the Jobs scheduler, click the link labeled Click here to set up schedule frequency to get the 
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Job Frequency dialog, and configure the schedule. 



In the Job Parameters section, select or enter values for the parameter fields as necessary. For 
date parameters, enter values in the text fields, click the drop-down arrows or click the time 
buttons to select a time range. For time data, you can enter a specific value, such as 8:54:00 AM 
or you can use special timestamp variables. 

Click OK to save changes to the Job schedule. 

To view all scheduled jobs, click the Open scheduled jobs list tool button ( ). The scheduled 

tasks are listed in the Viewer panel under “Current Jobs.” 

For more information on setting up and viewing scheduled jobs, see 'Job Scheduler" on page 996. 

6. Back in the report editor Jobs tab, under the Job Parameters section, enter values for the report 
parameters by clearing the Use Default check marks, or change nothing here to keep the defaults. 
You can set the report format, e-mail options, output parameters, start and end times, and so on. 
These are the same parameters described in "Running a New or Archived Report" on page 449. 
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If you chose any parametized condition while creating this report, that condition is displayed at the 
top of the tab. An example of a parameterized condition is: detect time between $CurrentDate-ld 
and $CurrentDate. If such parameters exist, they are used for both immediate as well as 
scheduled generation of reports. While scheduling reports for archiving, these parameters are 
displayed in the Edit Parameters Ul. It is possible to independently modify the dates specified in 
the parameter text fields, in addition to relative dates, you canspecify absolute dates as parameter 
values. Examples of valid absolute dates are: 01/01/2014 and 01/01/2015 11:00:00 AM. 

7. Click Apply or OK on the report Editor to save your changes for this report. 


Note: If you do not want to archive reports if they are empty: 
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By default, empty reports are also on the scheduled for archiving. If you do not want this 
setting, enterthis property in server, properties: 

report . scheduler . archive_empty_reports=false 

Refer to the Administrator’s Guide’s Configuration section, topic on Managing and Changing 
Properties File Settings, for instructions on how to change settings properly. 


Scheduling Report Tasks 

You can schedule some tasks to occur automatically. Specifically, this feature is available for archiving 
reports individually or by group, for taking Pattern Discovery snapshots, and for scheduling rules. This 
topic discusses the scheduler as it relates to scheduling reports (For more information on job scheduler 
in general, see also "Job Scheduler" on page 996.) 

Scheduling Individual-Report Archiving 

To schedule archiving of individual reports: 

1 . Choose the Reports resource tree in the Navigator panel, select the Reports tab, and right-click 
the report you want to schedule. 

2. Choose Schedule for archiving, then Report or Delta Report for delta reports. (This opens the 
report with the Jobs tab showing.) 

3. Click Add on the Jobs tab. 

4. Entera name and description forthejob. 

5. In the Job Parameters section, select or enter values for the parameter fields as necessary. 

6. In the Summary section, click the link labeled Click here to set up schedule frequency. 

7. In the Job Scheduler dialog, select the desired frequency and enter the associated settings. 

The following table shows scheduling options. 
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Option Description 

Schedule 

Frequency 

Choose a timing for the schedule. The typical choices are self-explanatory: Hourly, 
Daily, Weekly, Monthly, and Yearly. For each timing, enter additional settings 
such as occurrence (Every) and time. For Monthly, also specify the day of the 
month. For Yearly, specify the month and date. 

Caution: If you are scheduling a yearly report on a leap year and you choose 
February 29 as the month and date, the Console will not save your setting. To 
ensure that yearly reports are covered on leap years, choose a different date; or 
choose either February 28 or March 1 if you want your schedule to be as close as 
possible to February 29. 

Schedule 

Range 

Select the start and end date for the report run. 


8. Repeat as required to add another schedule for the same group. 

9. Click OK. 

Reports can be archived in PDF, HTML, Excel, Comma Separated Value (csv), or Rich Text 
Format (rtf). The default PDF format should be used when archiving reports. Compared to PDF 
reports, other reports may lose formatting information and appear differently. In addition, Excel 
format is more memory-intensive than PDF. 

10. Select the e-mail scheduled reports to check box and a user from the drop-down menu to 
automatically send an e-mail notification when the report is archived. 

The user receives an e-mail notification stating that the report has been successfully archived. 
The e-mail also contains a URL to the report so that the user can view the report from the URL. 
The e-mail notification is sent to the e-mail address listed in the user's profile. The user must have 
an e-mail address in their user profile. 

11. For the Archive Folder text field, click the archive report group button to select where to list the 
archived report. 

12. In the Archive Report Selector, select a report archive group and click OK. 

13. In the Report Parameters window, click Update. 

14. For delta reports, in the Schedule Summary, right-click Default under the Param Set 2 column 
and select Edit Parameters to change the second parameter set, if any. Click Update. 

15. In the Schedule Summary, click Close. 


Tip: You can use Velocity template references for fields that accept text, such as Archive 
Folder and Archive Report Selector. See "Velocity References for Reports" on page 1097 for 

details. 
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Scheduling Report Archiving by Resource Group 

1. In the Reports resource tree, navigate to a particular group. 

2. Right-click the group and choose Schedule for archiving>Report group. (This opens the report 
with the Jobs tab showing.) 

3. Click Add on the Jobs tab. 

4. Entera name and description forthejob. 

5. In the Job Parameters section, select or enter values for the parameter fields as necessary. 

6. In the Jobs scheduler, click the link labeled Click here to set up schedule frequency. 

7. In the Job Scheduler dialog, select the desired frequency and enter the associated details. Refer 
to the following table for guidance. 


Option 

Description 

Schedule 

Frequency 

Choose a timing for the schedule. The typical choices are self-explanatory: Hourly, 
Daily, Weekly, Monthly, and Yearly. For each timing, enter additional settings 
such as occurrence (Every) and time. For Monthly, also specify the day of the 
month. For Yearly, specify the month and date. 


Caution: If you are scheduling a yearly report on a leap year and you choose 
February 29 as the month and date, the Console will not save your setting. To 
ensure that yearly reports are covered on leap years, choose a different date; or 
choose either February 28 or March 1 if you want your schedule to be as close as 
possible to February 29. 

Schedule 

Range 

Select the start and end date for the report run. 


8. Click OK. 

9. Repeat as required to add another schedule for the same group. 

Standard Time Transitions 

If the trigger time for a particular scheduled task run happens to fall during the transition time between 
daylight saving time (DST) and standard time (ST), the interval for that run will be different than 
expected. 

Time zones that honor DST have a period of time that occurs twice during the transition from DST to 
ST. For example, in the US when changing from DST to ST, this hour occurs once while the DST is still 
in effect and again after switching to the Standard Time. The transition period occurs at 2 a.m., 
therefore 1:00:00 a.m. - 1:59:59 a.m. occurs twice (1:00:00 a.m. PDT - 1:59:59 a.m. PDT and 1:00:00 
a.m. PST - 1:59:59 a.m. PST), where 1:00 a.m. PST is 60 minutes after 1:00 a.m. PDT. In this 


HP ESM (6.9.1c) 


Page 465 of 1106 


ArcSight Console User's Guide 
Chapter 16: Running and Managing Reports 


example, if the scheduled task is due to trigger any time between 1:00:00 a.m. - 1:59:59 a.m., the 
interval for that particular run of the scheduled task will not be as expected. 

Similarly, when the time changes from ST to DST, the 1:00:00 a.m. - 1:59:59 a.m. hour does not occur 
at all. The local time changes directly from 1:00 a.m. to 2:00 a.m. So, if your scheduled task run was 
scheduled to trigger between 1:00:00 a.m. - 1:59:59 a.m., the interval for that particular run will be off by 
an hour. 

The interval calculation for subsequent scheduled runs do not get affected. 

Currently, there are four time zones that are not supported in ESM: 

• Kwajalein 

• Pacific/Kwajalein 

• Pacific/Enderbury 

• Pacific/Kiribati 

These time zones fall in two countries, Marshall Islands and Kiribati. 


Viewing an Archived Report 

To view an archived report, select the Reports resource in the Navigator (if it is not already selected) 
and click the Archives tab. Navigate the Archived Reports tree to find the archived report you want, 
then right-click the report and choose Show Archive Report. The report is displayed in the Viewer. 

If you do not find the report you are looking for, you might want to check to see if it has run yet. To view 

all scheduled jobs, click the Open scheduled jobs list tool button ( ). The scheduled tasks are 

listed in the Viewer panel under “Current Jobs.” 


Editing a Report Archiving Schedule 

You can change the archiving schedule for report definitions in your Reports resource folders. 

1 . I n the Reports resource tree, select the Reports tab. 

2. On the Reports tab, right-click a report and select Schedule for archiving, then Report or Delta 
Report for delta reports. 

3. In the Schedule Summary, right-click in the braces { } column and select the Parameters option to 
change report parameters set for the specific scheduled report. To delete a current scheduled 
archive report, right-click in the braces { } column of an existing schedule and click Delete. 

4. To change the interval scheduling of a report, click the report interval button and Yearly, Monthly, 
Weekly, Daily, or Hourly, click the date and time buttons. 
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5. If editing within the same timeframe, click the Month, Date, Day, Hour, Min, AM/PM buttons to 
specify changes to the report schedule. 

6. When you've finished editing the schedule, click OK. 


Editing Report Archiving Parameters 

You can change the archiving parameters of the report definitions in your Reports resource folders. 

1 . I n the Reports resource tree, select the Reports tab. 

2. On the Report Definitions tab, right-click a report and select Schedule for archiving, then 
Report or Delta Report. 

3. Right-click in the braces { } column for a scheduled report and select the Parameters option. 

4. In the Report Parameters window, type in the report parameter text fields, if any. 

For date and time data fields, such as Detect Time, you can type an actual date value, such as 
10/12/2014 8:54:00 AM, or you can use special timestamp variables. 

5. Select the E-mail scheduled reports to check box, and a user from the drop-down menu, to 
automatically send an e-mail notification when the report is generated. 

The user receives an e-mail notification stating that the report has been successfully archived. 
The e-mail also contains a URL to the report so that the user can view the report from the URL. 

The e-mail notification is sent to the e-mail address listed in the user's profile. The recipient must 
have an e-mail address in their user profile. 

6. For the Archive Folder text field, click the archive report group button to select where to list the 
archived report. 

7. In the Archive Report Selector, select a report archive group and click OK. 

8. In the Report Parameters window, click Update. 

9. For delta reports, in the Schedule Summary, right-click Default under the Param Set 2 column 
and select Edit Parameters to change the second parameter set, if any. Click Update. 

10. In the Schedule Summary, click Close. 


Deleting a Report Archiving Schedule 

You can remove individual archiving schedules for reports in the Scheduled Tasks list. 
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1 . I n the Reports resource tree, select the Reports tab. 

2. On the Report Definitions tab, right-click a scheduled report (showing a calendar icon) and choose 

Schedule for archiving, then Report or Delta Report. 

3. On the line for the schedule to remove, right-click in the braces { } column and choose Delete. 

4. In the confirmation dialog box, click Delete to remove it or Cancel to let it remain. 
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Active lists and session lists are important tools for tracking traffic with IP addresses of interest. 

Active lists can hold up to 500K entries. While you can manually update active lists, their real value 
comes when you author automatic, rule-driven lists with dynamic content. 

Required Settings for Large Lists 469 

Creating an Active List 470 

Editing Active Lists and Active List Entries 477 

Using Rules to Populate an Active List 478 

Adding Events from a Channel to an Active List 482 

Moving or Copying an Active List 483 

Importing and Exporting an Active List 483 

Deleting an Active List 484 

Managing Active List Groups 484 

Managing Session Lists 485 

Field Naming Restrictions 491 

Required Settings for Large Lists 

By default, active lists and session lists each support 1 million entries. This section describes the 
required settings to support up to 5 million entries. 

• You increase the list entries limit through the activelist . max_capacity and sessionlist . max_ 
capacity property settings in the server, properties file, as in the following example: 

activelist. max_capacity = 5000000 
sessionlist. max_capacity = 5000000 

• To have adequate memory for 5 million entries, use these settings in the server, wrapper, conf 
file: 

wrapper . j ava . initmemory=32768 
wrapper . j ava . maxmemory=32768 

Both files are stored in the Manager’s conf ig directory. Refer to the Administrator Guide’s 
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Configuration section, topic on “Managing and Changing Properties File Settings.” 
• Set the Console’s Java heap setting to 1536 MB. 


Creating an Active List 

Active lists are usually defined in conjunction with rules specifically tailored to interact with and 
populate the lists dynamically. Lists not driven by rules are empty or contain only manually added 
entries that have not timed out. (See "Using Rules to Populate an Active List" on page 478 and "Rules 
Authoring" on page 493 for more information on how to create rules that work with active lists.) 

To create an active list: 

1 . Choose the Lists resource tree in the Navigator panel. 

2. Click the Active Lists tab. 

3. Right-click an active list group and choose New Active List. 

4. Fill in fields and select options as follows. 


Active List Attributes 

In this 

field... ...enter this 

Name 

Enter a name for the active list. This name identifies the active list in ArcSight 
pick lists. Spaces and special characters are allowed. 

Optimize 

Data 

If you want to create a hash-based list, click Optimize Data to toggle it on. This 
option reduces the memory usage of an active list. It is useful for active lists 
with more than 1,000 entries or for lists that contain a large amount of 
information per entry. See "Optimize Data with Hash-Based Active Lists" on 
page 788. 
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Active List Attributes 


In this 

field... 

...enter this 

Capacity 

(xIOOO) 

This setting indicates the maximum number of active list entries the system is 
to keep in memory. The default is 10,000. For most cases, 10,000 is 
appropriate, however, you may wish to adjust this setting if the devices you are 
monitoring for this active list contain a lot of data to ensure you have adequate 
memory cache available. 

Notes: 

■ This represents a limit on in-memory capacity only. If you also select 

Partially cached, more entries are retained but this has an impact on 
performance when it is necessary to retrieve active list items from the 
database. 

■ If the maximum number of entries is reached, an existing entry is randomly 
selected and removed. 

■ Capacity influences the maximum memory that can be consumed by the 
active list. The memory usage is proportional to the number of entries in the 
list, which usually are less than the capacity. Capacity affects memory 
usage, but has little if any impact on performance. 

TTL Days, 

TTL Hours, 
TTL Minutes 

IntheTTL (TimeTo Live) fields, set the number of Days, Hours, or Minutes an 
unused result should remain on the list before it is removed. Use 0 (zero) to 
cause the field to never expire. The maximum number of days is 99999. 

Allow multi- 
mappings 

Check this box to allow multiple instances of key pairings. This enables a single 
key, such as an actor attribute, to map to multiple values, such as a set of roles. 
You can use this to return a list of entries with the same value for the key field. 

For example, with multi-mappings enabled, you can create an active list that 
could return multiple roles for an actor named Clark Kent (reporter, superhero, 
space traveller) or multiple names associated with a farmhouse in Kansas 
(Clark Kent, Superman, Kal-EI). 

Note: Don’t use this setting if you are creating a Time partitioned active list. 
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Active List Attributes 


In this 

field... 

...enter this 

Partially 

cached 

When Partially cached is selected, additional entries beyond the in-memory 
"Capacity (xIOOO)" maximum are stored and retrieved from the database. 

Using partial caching increases overall capacity but can impact performance 
because it takes more time to retrieve list entries from the database. 

This setting is required by active lists that are Time partitioned. 

Note: There is a limitation when in-memory resources such as active channels 
and data monitors are used to return values from a partially-cached list. Only 
those values that are in the cache are returned. Reports and query viewers are 
not affected by this limitation because these resources query the database 
directly and do not use cache. 

Time 

partitioned 

A partially-cached, time-partitioned active list enables you to capture data over 
time. Wtihout time partitioning, a partially-cached list requires constant 
retrievals from the database to update the entries, and flushing out old entries 
are done at random. With time partitioning, the cached data is segregated into 
partitions based on the list’s timestamp (Date field) value. Time-partitioned list 
data are kept in memory, and older data are the first to age out of the list. 

This option requires that: 

■ The list must not be multi-mapped. 

■ Partially cached must be enabled. 

■ The list must be fields-based (not event-based). Fields must include at least 
a date and a string field that are set as key fields. Without a date key field, 
the time partitioned setting is ignored. 
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Active List Attributes 


In this 

field... 

...enter this 

Case 

Sensitivity 

You can optionally configure the list to be case-sensitive or -insensitive. 
Furthermore for case-insensitive lists, you can specify case-insensitivity for 
keys only, orforboth keys and values. The feature enables you to store and 
look up values in lists regardless of case. 

Select one: 

■ Case-Sensitive (the default) 

■ Key Case-Insensitive 

■ Key & Value Case-Insensitive 

Important: After you save the list, you cannot change this setting. If you want 
to revert the case sensitivity setting, define a new list instead. 

Cautions on case-insensitive lists: 

■ If your list is case insensitive, don’t use the Optimize Data option. 

■ Lookups on case-insensitive lists will slow down query and active channel 
performance. Make sure your queries and variables (used by channels) get 
values from case-sensitive lists. 

Common and 
Assign fields 

Entering data in the Common and Assign sections is optional, depending on 
how your environment is configured. For information about the Common and 
Assign attributes sections, as well as the read-only attribute fields in Parent 
Groups and Creation Information, see " Common Resource Attribute Fields" on 
page 685. 
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Active List Attributes 


In this 

field... ...enter this 


Data: 

Event-based, 

Fields-based 


In the Data panel, choose Event-based or Fields-based lists. Your entries here 
determine what kinds of values your list is populated with. 


Caution: After you have selected your data fields and saved the active list, you 
cannot add, remove, or change existing data fields. 


■ The Event-based option is convenient for choosing event attributes as found 
in existing events. When checking or adding to an event-based list, you only 
need to supply an event. This option is not supported in time-partitioned 

lists"Creating an Active List" on page 470 


■ The Field-based option offers detailed event and attribute selection controls 
that involve mapping fields to field attributes. Use this setting for time- 
partitioned lists. 


Field-based lists that use "Key Fields" are known as active lists with 
values. (For more information, see "Active Lists with Values" on page 790.) 


5. If list data is event-based: 

a. Click Select Fields. 

b. On the Field Selector panel, select one or more event fields for your list data collection then 
click OK to close the Field Selector panel. Then click Apply or OK on the Active List Editor 
panel to save your event-based list. 

6. If list data is field-based: 

a. Under the Name column, replace <EnterName> with a descriptive name for the field. Fora list 
of restricted characters, see "Field Naming Restrictions" on page 491. 

b. Select the data type and corresponding subtype as applicable: 
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Field-Based Data Types and Subtypes 


Type 

Subtype 

Address 

o IPv4 Address 

o IPv6 Address 

Note: The IPv6 address will be simplified on the list. For example, 

2001 :db8: 0000: 0000: 0000 will be displayed as 2001 :db8: : . The Os are 
dropped and replaced by two colons (::). 

o MAC Address 

Date 

This field is required for time-partitioned active lists. Additionally, you must set 
this as a key field. If the time-partitioned list has no date or time-based field, 
time partitioning does not occur. 

This Date field is used as a default Timestamp value for interval-type queries on 
active lists. 
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Field-Based Data Types and Subtypes 

Type Subtype 

Double, 
Integer, or 
Long 

Optionally select one of the numeric subtypes to accumulate values when the 

field is updated, for example, by a rule. If you do not select a cumulative 

numeric subtype, the entries are replaced when the list is updated. 

o SUM adds the existing value and the inserted value. For example, if type is 
Double, subtype is SUM, and the current value is 100.00, inserting a value 
of 50.0 results in a new value of 150.00. 

° MAX takes the greater of the existing and inserted values. For example, if 
type is Double, subtype is MAX, and the current value is 100.00, inserting a 
value of 50.0 does not change the current value because 100.00 is already a 
maximum of itself and 50.0. 

o MIN takes the lesser of the existing and inserted values. For example, if 
type is Double, subtype is MIN, and the current value is 100.00, inserting a 
value of 50.0 results in a value of 50.0. 

Notes: 

o The cumulative values feature is only available in fields-based active lists. 

o Cumulative numeric fields cannot be used as key fields. 

o If you are manually editing list entries for the cumulative numeric subtypes, 
the value you enter is the final value. This means accumulation of values 
does not occur with manual entry edits. 

o These cumulative numeric subtypes are not supported in multi-mapped 
active lists because new entry values for the same key add rather than 
modify the entries. 

° Trends cannot act on lists with cumulative numeric fields. 

° Rules and Pattern Discovery can act on lists that use cumulative numeric 
fields. 

Resource 

Reference 

Any ArcSight Resource such as Asset, Report, Actor, and so on. 

String 

This is optional for lists in general but required, along with a Date field, if your 
list is time partitioned. 


c. Optionally check Key Fields to enable a per-field Key option, and then select one or more data 
fields that must be unique. 
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For example, the ArcSight-provided active list ArcSight Foundation/Configuration 
Monitoring/Assets with Recent Configuration Modifications uses fields-based data, 
and keys on unique values for asset address, zone, and name. 

Field-based lists that use Key Fields are known as active lists with values. (For more 
information, see "Active Lists with Values" on page 790.) 


Note: For key fields, here are best practices: 

° For a time-partitioned active list, your key fields must be a Date field and a string field. 
° Don’t make cumulative numeric fields as key fields. 


Database columns are defined after the list is created. After the new list is saved, you cannot 
add, remove, or change columns to the list. 

7. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

8. Click Apply to save and continue editing or OK to save and close. 

You can use the Add Entries button in the Active List Editor to manually insert values to the current 
active list. See "Editing Active Lists and Active List Entries" below. 


Editing Active Lists and Active List Entries 

To edit an active list: 

1. In the Active Lists resource tree, right-click an active list and choose Edit Active List. 

2. Make appropriate changes to the properties of the active list. Refer to the instructions in "Creating 
an Active List" on page 470. Pay attention to active list settings that depend on other settings. 

3. To add values manually: 

a. Click Add Entry. 

b. On the ActiveList Editor panel, add the value for your data list and click Add. 

c. To see the updates on your list as you add more values, right-click the active list on the 
resource tree and select Show Entries. 

4. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

5. Click Apply to save and continue editing or OK to save and close. 
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To view active list entries: 

1 . Choose the Active List resource tree in the Navigator panel. 

2. Right-click an active list and choose Show Entries. 

The viewer panel displays the list entries. 

To edit active list entries: 

Caution: If yourfields-based active list contains numeric subtypes to accumulate values, be 
careful about manual changes. Your manually-entered value replaces the existing cumulative 
value, and your new value is not cumulative. 

1 . Right-click an item in the Active List resource tree and choose Show Entries. 

2. In the active list grid view, right-click an entry and choose Edit. 

3. Click the entry's Source Address or Count to make changes. 

4. Click Modify to change the existing entry or Add to post the changed entry as a new one. 

To refresh the active list view: 

Active lists show results as of the time they opened for viewing, or the last time they were refreshed. 
Click the Refresh button in the view header to update the contents. 


Using Rules to Populate an Active List 

Typically, active lists are defined and then populated in conjunction with rules specifically tailored to 
interact with and populate the lists dynamically. (See 'Rule Actions Reference" on page 520 for more 
information on how to create rules.) 

For example, to create an active list that captures information about VPN login events, you need to 
create both (a) the active list that forms the table to store and display the data, and (b) the rules to 
capture and send matching events to the list. The rules populate and update the list for you. 

This example shows how to create an active list and a rule that work together to capture VPN login 
events. The active list shows the number of logins by username. 


Example Active List 

To try out this example, first create a fields-based active list named VPN Events, with fields named 
User Name and Category, both of type String. Set User Name as the Key field. 
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» Data: Q Event-based (*) Fields-based 


P7| Key Fields 

Name 

Type 

Sub-type 

Key-field 

User Name 

String 


0 

Category 

String 


□ 


Example Rule to Populate Active List 

Next, create a rule, also named VPN Events, to populate the active list with user names and category 
information for matching login events. 

What the Rule Does 

The goal is to define this rule to look for VPN login events, using values found in Event Name and 
Category Device Group fields as indicators of such events. A matching event triggers the rule. When 
triggered, the rule interacts with our VPN Events active list as follows. 


Populate this field in the Active List 

With the value from this field in incoming events 

User Name 

Target User Name 

Category 

Category Device Group 


Conditions 

Set Conditions to capture events when the Event Name contains Login and Category Device 
Group contains VPN. To capture event names from various sources that might be formatted differently 
(for example, in all uppercase, all lowercase, or initial capitalization), uncheck the Case-Sensitive (** ) 
option next to the Event Name field. This shows up in the Conditions Summary tab as follows: 

,;f Event conditions 

H»psn 

B-& AND 

Name Contains Login [ignore case] 

• Category Device Group Contains /VPN 


Tip: More fine-grained conditions logic (as used in this example) requires more processing and can 
have a performance impact. For example, using “<SomeFieLd> Contains <SomeString>" for a field 
lookup requires more processing than writing a field lookup like “<SomeFieLd> = <SomeString>" . 


For Case-Sensitive Lists: Use Variables to Make the Active List Case-insensitive 

If your list is case-insensitive, you can skip this topic. 

This information is provided for backward compatibility. In earlier releases of ESM, for example, in 
6.0c, lists were case-sensitive by default. If you have lists created in earlier ESM versions, this topic 
explains how to create case-insensitive active lists through rules. 
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For this example, we want to make our active list case-insensitive. That is, since User Name is the 
active list key field, we want to aggregate matching events from the same user regardless of the 
original capitalization format of the user name in the event. If 3 events come in with user name Jeff, and 
4 more come in with user name jeff, these should be shown on a single line in the active list showing 
that Jeff logged in 7 times. As described below, we’ll map a Variable String Function called ToUpper to 
achieve this. You can also use ToLower and get the same results. 

Aggregation 

On the Aggregation tab in the rule, select the fields for aggregation only if they are identical. In the Add 
Field dialog, set Aggregation for eventl on Category Device Group and Device Custom String. 

Aggregate only if these fields are identical 

e vend. Category De vice Group 

eventl.Device Custom String 1 

If your list is case-sensitive and you want to aggregate identical fields regardless of case sensitivity, 
you will also include in the above dialog an aggregation for eventl. ConvertToUpperCase, our variable 
which you have previously created in "For Case-Sensitive Lists: Use Variables to Make the Active List 
Case-Insensitive" on the previous page and can now select in Add Field’s Local Variables tab. 

Actions 

Activate the rule Actions option On Every Event (de-activate others), and select Add to Active List. 

• For case-sensitive lists only, insert the ConvertToUpperCase variable into the active list. Select 
On Every Event, right-click, and choose Add Set Event Field. Map Device Custom String 1 to 
$ConvertToUpperCase. (This syntax is called the velocity template for the function. See "Using 
Velocity Expressions in Rule Actions " on page 1096.) 



• Add values for User Name and Category to the active list. Map the fields as follows: 
■ User Name: Device Custom Stringl 
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■ Category: Category Device Group 

Add ’Add To Active List" Action 

When: On Every Event 
Add To Active List 



[ OK ] [ Cancel ] [ Help [ 


Local Variables 

On the Local Variables tab in the rule, create a variable named ConvertToUpperCase, select the 
String Function ToUpper, and select Target User Name as the argument. Click OK to save the 
variable. 


Add Local Variable 



In subsequent steps, this variable inserts Target User Name values in the active list. This way, all 
lookups from the active list use upper case key field values. 

Tip: Keep in mind that more fine-grained conditions logic requires more processing and can have a 
performance impact. For example, specifying a case-insensitive active list requires more 
processing than a case-sensitive active list. Use conditions logic like this only as necessary, and 
weigh your performance requirements as a part of content creation. 


Save and Test 

Click OK on the Rule Editor to save the rule. 

When you are ready to test the rule, remember to drag-and-drop the rules into the Real-time Rules 
folder to deploy them. When you do this, you’ll get a choice of whether to move, copy, or link them. 
Linking is often most efficient. (See "Deploying Real-time Rules" on page 536.) 

When the VPN Events rule is triggered, user names are added to the VPN Events active list. 
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|i VPN Login Events Details 


Name: VPN Login Events 

Last Update: 15 Dec 2008 17:23:40 PST 

Filter: No Filter 


6 shown / 6 matches 


User Name j 

Category 

Creation Time 

Last Modified Time 

Count 

FRED 

/VPN 

15 Dec 2008 14... 

15 Dec 2008 14... 

7 

JASMINE 

/VPN 

15 Dec 2008 14... 

15 Dec 2008 14... 

7 

JEFF 

/VPN 

15 Dec 2008 14... 

15 Dec 2008 14... 

9 

JOHN 

/VPN 

15 Dec 2008 14... 

15 Dec 2008 14... 

2 

LARA 

/VPN 

15 Dec 2008 14... 

15 Dec 2008 14... 

1 

MICHAEL 

/VPN 

15 Dec 2008 14... 

15 Dec 2008 14... 

1 


A logical next step in this example scenario would be to create another rule that checks to see if certain 
user names are showing up in the active list, and then takes some action (like sending an e-mail or 
adding those names to a “suspicious users” list, if appropriate). 


Adding Events from a Channel to an Active List 

From an event that shows up on an active channel's grid, you can select the option to add the event to 
an existing list or remove it, if that event is already an entry on an active list. 

The default procedure is: 

1 . Open an active channel of events. 

2. Right-click a specific event on the channel grid, and choose Active List > Add To > Other. 

The Add to Active List dialog appears. 

Note: The options Untrusted List and Trusted List apply to event fields that are address 
related. 

3. Browse the Active Lists resource selector to locate your active list and select it. 

The selected active list's entries are displayed . 

4. Click OK. 

Tip: If adding events from the active channel to existing lists is a frequent task for you, you can 
add your collection of frequently-used lists directly to the Active List option. That way, the lists are 
displayed instead of the active list resource tree. 

Follow the instructions in "Customizing the Default Selections for Active Lists" on page 85 
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Moving or Copying an Active List 

1. In the Active Lists resource tree, navigate to an active list and drag and drop it into another group. 

2. Choose Move to move the active list, Copy to make a separate copy of the active list, or Link to 
create a copy of the active list that is linked to the original active list. 

If you choose Copy, you create a separate copy of the active list that is not affected when the original 
active list is edited. If you choose Link, you create a copy of the active list that is linked to the original 
active list. Therefore, if you edit a linked active list, whether the original or the copy, all links are edited 
as well. When deleting linked active lists, you can either delete the selected active list or all linked 
active list copies. 


Importing and Exporting an Active List 

To import an active list: 

You can import a comma-separated-value (CSV) file as data. This is useful if you have data from other 
systems that you want to import; you can use the import to populate your active lists. 

1. In the Active Lists resource tree, select an active list, right-click, and choose Import CSV File. 
This brings up a file browser. 

2. Browse to find the CSV file you want to import, select it, and click Open. 

The Import Preview displays. If this is the file you want to import, click OK to add it to the active 
list. 

3. Right-click the active list you just populated with the CSV file and choose Show Entries. This 
displays the newly-added data from the CSV file in the Viewer panel as active list details. 


Note: The default view limit is 2000 entries. To view more, specify the number of entries in 
your filter. 


To export and active list: 

In the active list viewer, you can export selected entries from an active list to a CSV file. This is useful 
if you want to manage active list data external to the ArcSight Console. 

1. In the Active Lists resource tree, select an active list and choose Show Entries. The data in the 
active list is displayed in the Viewer panel as active list details. 
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2. On the active list detail in the Viewer panel, select one or more entries (typically, rows of events). 

3. Right-click and choose either Export CSV - Visible Columns or Export CSV - All Columns. 

This brings up a file browser. 

4. Browse to the location where you want to save the exported data, enter a file name in the File 
Name field, and click Save. The entries you selected for export are saved as a CSV file in the 
chosen location. 


Deleting an Active List 

1 . Right-click an active list and choose Delete Active List. 

2. In the dialog box, click Yes. 

Managing Active List Groups 

Active list groups are created to store similar groups or active lists in a single location. Groups can be 
created within groups to meet enterprise needs. 

Caution: Do not exceed more than 10,000 resources in a group. 

Groups and active lists can be managed with drag and drop functionality. You can move or copy groups 
and active lists into other groups in the Active Lists resource tree. If a group is deleted, the active lists 
within that group are also deleted. 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 

To navigate to active lists: 

1 . Choose the Lists resource tree in the Navigator panel. 

2. Click the Active Lists tab. 

To create an active list group: 

1. In the Navigator panel, choose the Active Lists resource tree. 

2. In the Active Lists tree, right-click a group and choose New Group. 

3. A name text field appears under the group you selected. 
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4. In the name text field, type in a name. 

5. Press Enter. 

To edit an active list group: 

1. To rename the active list group: 

■ In the Active Lists resource tree, right-click a group and choose Rename, or 

■ In the Group Editor, edit the Name field. 

2. In the Group Editor, change the description as required. 

3. Press Enter. 

To move or copy active list groups: 

1 . I n the Active Lists resource tree, navigate to a group and drag and drop it into another group. 

2. Select Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you select Copy, you create a separate copy of the group that is not affected when the original group 
is edited. If you select Link, you create a copy of the group that is linked to the original group. 
Therefore, if you edit a linked group, whether it be the original or the copy, all links are edited as well. 
When deleting linked groups, you can either delete the selected group or all linked groups. 

To delete active list groups: 

1. In the Active Lists resource tree, right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 

Managing Session Lists 

While you can manually update session lists, their real value comes when you author automatic, rule- 
driven lists with dynamic content. 

Related topics: 

• "Creating a Session List" on the next page 

• "Using Rules to Populate a Session List" on page 489 

• "Editing Session Lists and List Entries" on page 489 
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• "Understanding Session Correlation" on page 569 

• "Example: Using Session Lists to Correlate Session Data on User Logins" on page 574. 


Creating a Session List 

Note that session lists are usually defined in conjunction with rules specifically tailored to interact with 
and populate the lists dynamically. Session lists not driven by rules are empty or contain only manually 
added entries that have not timed out. (See "Understanding Session Correlation" on page 569 and 
"Example: Using Session Lists to Correlate Session Data on User Logins" on page 574 for more 
information.) 

To create a session list: 

1 . Choose the Lists resource tree in the Navigator panel. 

2. Click the Session Lists tab. 

3. Right-click a session list group and choose New Session List. 

4 . In the Session List Editor, in the Inspect/Edit panel, define the following values. 


Session List Attributes 


In this 

field... ...enter this 

Name 

Enter a name for the session list. This name identifies the session list in ArcSight 
pick lists. Spaces and special characters are allowed. 

Overlapping 

Entries 

Check this box to alert the system to allow multiple instances of key pairings, 
which keeps the previous session with the same key field open. For example, 
you might check this box if the list is tracking activity for an asset that supports 
multiple user logins. 

In Memory 

Capacity 

(xIOOO) 

This setting indicates the maximum number of session entries the system keeps 
in memory. The default value is 10,000. For most cases, 10,000 is appropriate; 
however, you may wish to adjust this setting if the devices you are monitoring for 
this session list contain a lot of data to ensure you have adequate memory cache 
available. 

As a best practice, be sure to set In Memory Capacity higher than the number of 
live sessions you anticipate. This helps optimize performance and, therefore, 
keeps results reliable. 
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Session List Attributes, continued 


In this 

field... 

...enter this 

TTL Days 

In the TTL (Time To Live) fields, set the number of days a closed session should 
remain on the list before it is removed. Default is 0 days. Use 0 (zero) to keep the 
closed session indefinitely. The maximum number of days is 99999. 

Entry 

Expiration 

Time 

Enter an expiration time for session list entries. This indicates the time after 
which entries are marked as terminated (if no explicit termination event is 
received previous to this). 


The default is 0 seconds, which means the entry never expires. An entry with no 
expiry date/time can only be terminated explicitly through user action on ArcSight 
Console, rule actions, or archives. 

Case 

Sensitivity 

You can optionally configure the list to be case-sensitive or -insensitive. 
Furthermore for case-insensitive lists, you can specify case-insensitivity for keys 
only, orfor both keys and values. The feature enables you to store and look up 
values in lists regardless of case. 


Select one: 


■ Case-Sensitive (the default) 


■ Key Case-Insensitive 


■ Key & Value Case-Insensitive 


Important: After you save the list, you cannot change this setting. If you want to 
revert the case sensitivity setting, define a new list instead. 


Caution: Lookups on case-insensitive lists will slow down query and active 
channel performance. Make sure your queries and variables (used by channels) 
get values from case-sensitive lists. 


5. Set the Common and Assign fields as appropriate. Entering data in the Common and Assign 
sections is optional, depending on how your environment is configured. For information about the 
Common and Assign attributes sections, as well as the read-only attribute fields in Parent Groups 
and Creation Information, see " Common Resource Attribute Fields" on page 685. 

6. Define columns for session list entries: 

Under the Name column, replace <EnterName> with a descriptive name for each session 
parameter you want to track; for example, IP address, zone, or MAC address. The name you enter 
here appears as a label in the session list and in the Variable pick list. Names can contain spaces, 
such as User Name. For a list of restricted characters in field names, see "Field Naming 
Restrictions" on page 491. 
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Columns for Start Time, End Time, and Creation Time are pre-defined. 

7. Enter the corresponding data type, sub-type, and mark as key field as required. Refer to the 
following table for guidance: 


Session List Column Types and Subtypes 


Type Subtype 

Address 

■ IPv4 Address 

■ IPv6 Address 

Note: The IPv6 address will be simplified on the list. For example, 

2001 : db8 : 0000 : 0000 : 0000 will be displayed as 2001 : db8 : : . The Os are 
dropped and replaced by two colons (::). 

■ MAC Address 

Date 

This Date field is used as a default Timestamp value for interval-type queries on 
session lists. 

Double, 
Integer, or 
Long 

Select the applicable numeric type. 

Note: Leave the Subtype column blank even if you see the selections. The 
numeric subtypes MIN, MAX, and SUM are not supported in session lists. 

Resource 

Reference 

Any ArcSight Resource such as Asset, Report, Actor, and so on. 

String 

This is optional for lists in general but required, along with a Date field, if your list is 
time partitioned. 

Key field 

Select one or more fields that must be unique to indicate a session start. In most 
cases, you would select at least two fields to make a key-value pair. For example, 
in the case of a DHCP login event, when a new IP and zone combination are 
written to the list, this indicates that a new session has started. 


Database columns are defined after the session list is created. Column definitions cannot be 
added, removed, or changed once the new session list is saved. 


8. Click Apply. 

The Filter tab for the list becomes enabled. 

9. Click the Filter tab in the Session List Editor and define a filter that limits the number of events to 
consider for the new session list. Session lists without filters must evaluate every event, which 
can negatively affect performance. The Filter tab presents the Field Set selection panel. Although 
the filter editor is similar, session list filters are not the same as Filter resources. Session list filters 
use different fields than Filter resources, for one thing. 
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Session lists are often concerned with logins to specific machines. In this case, you would write a 
filter that would limit evaluation to IP address ranges of interest. By filtering out all events except 
those targeting IP addresses in the DHCP server's subnet, for example, you are effectively 
limiting session list evaluation to inside traffic, reducing the overhead of session list evaluation. 
Other uses of session lists suggest other installation-specific knowledge that can be used to 
create session list filters that restrict the number of events matched against the session list. 


Note: Filters are used to improve session list performance by restricting the number of events 
that must be evaluated. Filters, such as DHCP IP address ranges, are installation-specific. 
Therefore, consider adding a filter to pre-defined session lists, such as /All Session 
Lists/ArcSight Foundation/Network Monitoring/DFICP, to improve performance. 


10. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

1 1 . Click Apply to save and continue editing or OK to save and close. 

You can use the Add Entry button in the Session List Editor to manually create more entries for the 
current session list. 


Using Rules to Populate a Session List 

Session lists are usually defined in conjunction with rules specifically tailored to interact with and 
populate the lists dynamically. Lists not driven by rules are empty or contain only manually added 
entries that have not timed out. See "Understanding Session Correlation" on page 569 and "Example: 
Using Session Lists to Correlate Session Data on User Logins" on page 574 for more information, 
including an example walk-through of how to create a session list and rules with which to populate it. 

For information about rules, specifically, see "Rules Authoring" on page 493. 


Editing Session Lists and List Entries 

Procedures in this topic include editing a session list's properties, adding and deleting session list 
entries, terminating an entry, and deleting session lists. 

To edit a session list's properties: 

1. In the Session Lists resource tree, right-click a session list and choose Edit Session List. 

2. Make appropriate changes to the properties of the session list. 

3. Click Apply to save and continue editing or OK to save and close. 

Entries are added to a session list through rule actions (see "Rule Actions Reference" on page 520) or 
manual entry, described below. 
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Caution: A session list can contain only one entry with the same key and StartTime value (up to 
milliseconds). This is useful in preventing duplicate session entries from multiple rule firings and 
from scheduled rules that are also deployed in real-time. 


To add a session list entry based on an existing entry: 

1 . Right-click an item in the Session List resource tree and choose Show Entries. 

2. In the session list grid view, right-click an entry that is similar to the entry you would like to add. 
Choose Edit. The Session List Entry editor appears in the Inspect/Edit window. 

3. Click a row's Value column to make changes. The column type may limit the kind of data that can 
be entered. 

4. Click Add to post the changed entry as a new one. 

To add a new session list entry: 

1 . Right-click an item in the Session List resource tree and choose Edit Session List. The Session 
List Entry editor appears in the Inspect/Edit window. 

2. Click the Add Entry button. 

3. Click a row's Value column to make changes. The column type may limit the kind of data that can 
be entered. 

4. Click Add to save the new entry. The Reset button clears all values. 

To delete a session list entry: 

1 . Right-click an item in the Session List resource tree and choose Show Entries. 

2. In the session list grid view, right-click the entry that you would like to delete. Choose Delete. 
Confirm the deletion by clicking Delete. 

To terminate a session list entry: 

1. In the Session Lists resource tree, right-click a session list and choose Show Entries. 

2. In the session list grid view, right-click the entry you want to terminate and select Terminate 
Session Entry. 

3. Enter the date and time for the session end time. Click the "5 button for a context menu containing 
relative times such as Now, 1 hour ago, 1 day from now, and soon. Click OK. 
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To delete a session list 

1 . Right-click a session list and choose Delete Session List. 

2. In the dialog box, click Delete. 


Moving or Copying a Session List 

1. In the Session Lists resource tree, navigate to a session list and drag and drop it into another 
group. 

2. Choose Move to move the session list, Copy to make a separate copy of the session list, or Link 
to create a copy of the session list that is linked to the original session list. 

If you choose Copy, you create a separate copy of the session list that is not affected when the original 
session list is edited. If you choose Link, you create a copy of the session list that is linked to the 
original session list. Therefore, if you edit a linked session list, whether the original or the copy, all links 
are edited as well. When deleting linked session lists, you can either delete the selected session list or 
all linked session list copies. 


Exporting a Session List 

In the session list viewer, you can export selected entries from a session list to a CSV file. This is 
useful if you want to manage session list data external to the ArcSight Console. 

1. In the Session Lists resource tree, select a session list, and choose Show Entries. The data in 
the session list is displayed in the Viewer panel as session list details. 

2. On the session list detail in the Viewer panel, select one or more entries (typically, rows of 
events). 

3. Right-click and choose either Export CSV - Visible Columns or Export CSV - All Columns. 

This brings up a file browser. 

4. Browse to the location where you want to save the exported data, enter a file name in the File 
Name field, and click Save. The entries you selected for export are saved as a CSV file in the 
chosen location. 


Field Naming Restrictions 

The following information on field naming restrictions applies to both session lists and field-based 
active lists. When you enter a name for your field, you are creating a database column. Field names, 
therefore, are subject to character restrictions consistent with database column names. The following 
table lists the characters you must not use in field names. 
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Disallowed Characters for Field Names 


Disallowed Character 

Description 

& 

Ampersand 

* 

Asterisk 

@ 

At 

A 

Caret or circumflex 


Colon 


Dot or period 

= 

Equals 

! 

Exclamation point 

> 

Greater than 

- 

Hyphen or dash 

< 

Less than 

( 

Parenthesis, left 

) 

Parenthesis, right 

+ 

Plus 

i 

Single quote 

/ 

Slash, forward 

[ 

Square bracket, left 

] 

Square bracket, right 

1 

Vertical bar 
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This section explains how to use rules to correlate events in your environment. 

Topics include: 

• "Designing Rules" below 

• "Rule Types" on the next page 

• "Creating or Editing Rules" on page 495 

• "Enabling and Disabling Rules" on page 497 

• "Specifying Rule Thresholds and Aggregation" on page 511 

• "Managing Rule Actions" on page 515 

• "Converting Rule Types" on page 530 

• "Testing Rules" on page 530 

• "Verifying Rules with Events" on page 532 

• "Deploying Real-time Rules" on page 536 

• "Scheduling Rules" on page 539 

Designing Rules 

Creating rules involves defining the events the rule evaluates, thresholds, and actions you want the rule 
to trigger. Conditions define which events trigger the rule, thresholds determine when a condition is met 
and a correlation event is generated, and actions state what responses are taken when a correlation 
event is generated. To define rule events and conditions, thresholds, and actions, begin by determining: 

• Which event occurrences do I want to be aware of? This determines what events this rule needs to 
monitor and the conditions to be tested. 

• How many times do I want the event or events to occur and within what time frame? This 
determines the rule's threshold. 

• What actions should automatically occur when an event is generated? When should those actions 
occur? This determines the rule's actions. 

Before you create rules, determine which events you want to monitor. Be specific and as clear as 
possible. For example, monitoring all events from a Cisco Router would not be as useful as monitoring 
all denied events from that Cisco Router. In addition, the more conditions you add to a rule, the more 
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specific the rule becomes. Use the ArcSight data fields to guide you in selecting and specifying 
conditions. For more information, see "Data Fields" on page 885. 


Rule Types 


ESM provides the following rule types: 


Rule 

Types Description 

Standard 

rules 

Include all features for rule creation such as multiple event conditions, field 
aggregation, and rule actions based on different triggers. You can convert a standard 
rule to a lightweight or pre-persistent rule ("Converting Rule Types" on page 530). 

Lightweight 

rules 

Include a small set of features for rule creation for faster and simpler rule processing. 

A lightweight rule: 

• Has only one event condition (no joins). 

• Does not aggregate data fields, therefore, the Aggregation tab is disabled. 

• Executes a specific action only on the On Every Event trigger. 

• Only allows active list and session list actions. 

• Does not generate correlation or audit events, although failures are logged. 

• Is processed earlier in the flow than standard rules. 

• Can be converted to other rule types ("Converting Rule Types" on page 530). 


HP ESM (6.9.1c) 


Page 494 of 1 1 06 


ArcSight Console User's Guide 
Chapter 18: Rules Authoring 


Rule 

Types 

Description 

Pre- 

persistence 

rules 

Include a small set of features to enable basic event analysis and the setting of various 
event fields, therefore enriching these base events, before the events themselves are 
persisted in the database. A typical usage for this rule type would be for threat-level 
formula calculations. 

A pre-persistence rule: 


• Has only one event condition (no joins). 


• Does not aggregate data fields, therefore, the Aggregation tab is disabled. 


• Executes a specific action only on the On Every Event trigger. 


• Can only perform the Set Event Field action. The action is applied to incoming 
base events. Values of the modified fields are available to standard and lightweight 
real-time rules, which run during the post-persistence processing flow. 


• Does not generate correlation or audit events, although failures are logged. 


• Is processed earlier in the flow than lightweight and standard rules. 


• Cannot be scheduled or replayed, since events occurring in the past have already 
been persisted and can no longer be modified. 


. Can be converted to other rule types (see "Converting Rule Types" on page 530). 


Managing Rules 

Like other resources, the rule-management tasks include creating, changing, deleting, and deploying 
them. 


Creating or Editing Rules 

Before creating rules, determine which events you want to monitor. Be as specific and as clear as 
possible. For example, monitoring all events from a Cisco Router would not be as useful as monitoring 
all denied events from that Cisco Router. In addition, the more conditions you add to a rule, the more 
specific the rule becomes. 

Use the ArcSight data fields to guide you in selecting and specifying conditions. 

Caution: If you are editing a standard rule because you want to change its rule type, follow the 
instructions in "Converting Rule Types". 
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To create or edit a rule: 

1 . From the Navigator Panel drop-down menu, choose Rules. 

2. If you are creating a rule, right-click a group and choose New Rule | <Rule Type>. See "Rule 
Types" on page 494 for guidelines on rule types. 

If you are editing a rule, right-click the rule and choose Edit Rule. 

3. On the Attributes tab, enter or change the name in the Name text field. 

The name is restricted to 25 characters. Be as descriptive as possible. The name is stored in the 
Event Name data field and appears in the Event Name column on the grid view. 

4. Optional: Enter data in the Common and Assign sections, depending on how your environment is 
configured. For information about the Common and Assign attributes sections, including the read- 
only attribute fields in Parent Groups and Creation Information, see ' Common Resource Attribute 
Fields" on page 685. 

5. Required: Define conditions on the Conditions tab following instructions in "Specifying Rule 
Conditions" on page 498. You cannot save the rule without specifying conditions. Note that for 
non-standard rules, there are restrictions (see "Rule Types" on page 494 for details). 

6. For standard rules, add correlating events, specify thresholds and time windows to qualify events, 
and aggregate incoming event data based on matching fields on the Aggregation tab. See 

"Common Conditions Editor (CCE)" on page 864 and "Specifying Rule Thresholds and 
Aggregation" on page 51 1 for more information. 

Note: The Aggregation tab is enabled for standard rules only. 

7. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

8. Click OK to save and close the rule. You can also click Apply to save changes but keep the rule 
open. 


Moving or Copying Rules 

Note: You cannot move or copy a pre-persistence rule into a rule group that has been scheduled. 


1. In the Rules view, navigate to a rule and drag and drop it into another group. 

2. Select Move to move the rule, Copy to make a separate copy of the rule, or Link to create a copy 
of the rule that is linked to the original rule. 

If you select Copy, you create a separate copy of the rule that is not affected when the original rule is 
edited. If you select Link, you create a copy of the rule that is linked to the original rule. Therefore, if 
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you edit a linked rule, whether it be the original or the copy, all links are edited as well. When deleting 
linked rules, you can either delete the selected rule or all linked rule copies. 


Enabling and Disabling Rules 

You can enable (set to on) or disable (set to off) rules. ESM can also automatically disable rules. If a 
rule is disabled or off (O), the rule is grayed out on the Navigator panel in the Rules resource tree. 

Note: Keep in mind that only rules deployed in Real-time Rules show up in a live channel when 
they are triggered. Therefore, after you have created and verified rules and you are ready to deploy 
them on real-time events, move or copy the rules to your user folder under Real-time Rules as 
described in "Deploying Real-time Rules" on page 536. 


Tip: ESM profiles rule performance by measuring their evaluation time on a sampling basis. You 
can view these results from the Rules Status dashboard and from there, you may manually disable 
rules which you deem expensive. 


To enable rules: 

In the Navigator panel's Rules resource tree, right-click the rule and choose Enable Rule. The rule is 
displayed as enabled or on (E) in the Navigator. 

To disable rules: 

In the Rules resource tree, right-click a rule and choose Disable Rule. The rule is displayed as 
disabled or off (U) in the Navigator. 

Note: If ESM has automatically disabled a rule, you must manually disable the rule as described; 
otherwise the rule will continue to fire and will be automatically disabled in a circular manner. This 
process is resource intensive. See "Automatically Disabled Rules " on page 1029 for details. 


To disable rule components: 

You can disable certain components of a rule, such as particular rule triggers or a rule actions 
associated with particular triggers. For information on this, see: 

• "Activating or De-activating a Rule Trigger" on page 517 

• "Enabling or Disabling a Rule Action" on page 517 


HP ESM (6.9.1c) 


Page 497 of 1106 




ArcSight Console User's Guide 
Chapter 18: Rules Authoring 


Deleting Rules 

1. In the Rules resource tree of the Navigator panel, right-click a rule and choose Delete Rule. 

2. Click Yes in the confirmation dialog box. 


Specifying Rule Conditions 

After creating a new rule or opening an existing rule for editing, you can specify conditions on which a 
rule triggers, based on specific event, filter, asset, or vulnerability criteria. Like other ArcSight analysis 
components, rules editing uses the "Common Conditions Editor (CCE)" on page 864. See also 
"Condition Tree Command Buttons" on page 866, "Condition Tree Context Menu Commands" on 
page 868, and "Adding Conditions" on page 872. You cannot save a rule without specifying at least one 
condition. 

Topics include: 

• "Creating Rule Conditions" below 

• "Adding Filter Conditions" on page 500 

• "Adding Asset Conditions" on page 500 

• "Adding Vulnerability Conditions" on page 501 

• "Adding Active List (InActiveList) Conditions" on page 502 

• "Creating Matching or Join Conditions" on page 504 

• "Negating Event Conditions" on page 506 

• "Optimizing the Evaluation of Event Conditions" on page 508 


Creating Rule Conditions 

The Conditions tab provides a default event alias, eventl , which you edit and to which you add 
condition statements forevaluation. 


Note: Standard rules can have multiple event conditions, while lightweight and pre-persistence 
rules are limited to only one. 
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To specify rule conditions: 

1. In the Rules Editor, select the Conditions tab. 

2. To edit the event alias (change its default name), right-click eventl and select Edit. Enter a new 
name for the alias in the text field and click OK. 

Because rules can have numerous events, aliases should be unique and descriptive. For example, 
if monitoring Cisco Router denied events, Cisco Router denied could be the alias name. The 
name appears as a branch under the Event conditions tree. 

3. Add a condition statement to the event alias using the Common Conditions Editor table (usage 
rules and features of this editor are described in "Common Conditions Editor (CCE)" on page 864): 

a. Locate the event name you want to use in the condition statement. 

b. Choose the logical operator (for example, =) to be used for comparing values. If you need help, 

see "Logical Operators" on page 999 for descriptions. 

c. Choose the value from the drop-down list under the Condition column to use as the basis for 
comparison. 

Note: If you want to use a global variable for the condition statement, you can attach one 
by clicking the +/- Global Variables button and then choosing the global variable from the 
resource selector popup. The selected global variable will be added to the Common 
Conditions Editor table at the bottom. See "Global Variables" on page 993 for more 
information. 

4. For standard rules only: To add more event aliases, select Event conditions and click the New 

Event Definition button; or right-click Event conditions and choose New Event Definition. 

Enter an event name in the Alias text field and click OK. 

If you have more than one event alias, a Matching Event branch appears. This enables you to 
define ajoin relationship on the multiple event aliases. For more information on joining two events, 
see "Creating Matching or Join Conditions" on page 504. Other important references are "Logical 
Operators" on page 999 and "Conditions" on page 880. 

If you are working on a non-standard rule, you will not be able to save the rule if you have more 
than one event condition. 

5. On the Conditions tab, click Apply. 

The rule with the default threshold and action is created and listed in the Rules resource tree. 

For standard rules only, see "Specifying Rule Thresholds and Aggregation" on page 51 1 for aggregation 
time-frame options. 
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Adding Filter Conditions 

Add a filter to a rule through a new event alias. Use an existing filter resource if you can, and associate 
it with the event alias. A filter condition states “If an event occurs and it matches an event in the 
specified filter, generate a correlation event.” 

For more information on filters, see "Filtering Events" on page 286. 

To add a filter condition to a rule: 

1. In the Rules Editor, select the Conditions tab and select the event alias to which you want to add 
a filter condition. 

2. Click the And, Or, or Not button; or right-click a logical operator and choose New Logical 
Operator, then And, Or, or Not. 

If there are existing conditions, you can tie them to the filter condition with either the AND, OR, or 
NOT logic operator. If AND is used, all the existing conditions and the filter condition must occur in 
the event. If OR is used, either the existing conditions or the filter condition must occur. If NOT is 
used, all but the filter condition must occur. 

3. Right-click the logical operator and select New Matches Filter Condition. 

4. In the Filter Selector, select a filter and click OK. 

5. On the Conditions tab, click OK. 

The Common Condition Editor's buttons and commands are discussed further in "Creating Filters" on 
page 286. 

See also "Condition Tree Command Buttons" on page 866, "Condition Tree Context Menu Commands" 
on page 868, and "Adding Conditions" on page 872 under "Common Conditions Editor (CCE)" on 
page 864. 


Adding Asset Conditions 

Asset conditions state whether your enterprise assets are targets or sources of events. An asset 
condition states “if an event occurs and the selected asset is the source or target, generate a 
correlation event.” Assets are part of your network model as described in "Modeling the Network" on 
page 98. 

To add an asset condition to a rule: 

1. In the Rules resource tree, right-click a rule and choose Edit Rule. 

2. In the Rules Editor, select the Conditions tab. 
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3. Click the And, Or, or Not button, or right-click a logical operator and choose New Logical 
Operator, then And, Or, or Not. 

If there are existing conditions, you can tie them to the asset condition with either the AND, OR, or 
NOT logic operator. If AND is used, all the existing conditions and the asset condition must occur 
in the event. If OR is used, eitherthe existing conditions orthe asset condition must occur. If NOT 
is used, all but the asset condition must occur. 

4. Select the logical operator and click the Assets button on the rule editor toolbar, or right-click the 
logical operator and select New Assets Condition. 

5. In the Assets panel below, select Source Asset ID to monitor if an asset is the source of an event 
or Target Asset ID to monitor if an asset is the target. 

6. Select an asset or group and click Apply. 

The asset condition appears in the Correlate section and is tied to any existing condition 
statements with the logic operator selected. 

7. On the Conditions tab, click OK. 

See also "Condition T ree Command Buttons" on page 866, "Condition T ree Context Menu Commands" 
on page 868, and "Adding Conditions" on page 872 under "Common Conditions Editor (CCE)" on 
page 864. 


Adding Vulnerability Conditions 

You can use an existing enterprise vulnerability to create a rule condition. A vulnerability condition 
states “If an event occurs with the vulnerability selected, generate a correlation event.” For more 
information on vulnerabilities, see "Modeling the Network" on page 98. 

To add a vulnerability condition to a rule: 

1. In the Rules resource tree, right-click a rule and choose Edit Rule. 

2. In the Rules Editor, select the Conditions tab. 

3. Click the And, Or, or Not button or right-click a logical operator and choose New Logical 
Operator, then And, Or, or Not. 

If there are existing conditions, you can tie them to the vulnerability condition with eitherthe AND, 
OR, or NOT logic operator. If AND is used, all the existing conditions and the vulnerability 
condition must occur in the event. If OR is used, eitherthe existing conditions orthe vulnerability 
condition must occur. If NOT is used, all but the vulnerability condition must occur. 

4. Choose the logical operator and click the Has Vulnerability button on the rule editor toolbar, or 
right-click the logical operator and choose New Has Vulnerability. 
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5. In the Vulnerability Selector, select a vulnerability and click OK. 

The vulnerability appears on the Conditions tab and is tied to any existing condition statements 
with the logic operator selected. 

6. On the Conditions tab, click OK. 

See also "Condition Tree Command Buttons" on page 866, "Condition Tree Context Menu Commands" 
on page 868, and "Adding Conditions" on page 872 under "Common Conditions Editor (CCE)" on 
page 864. 


Adding Active List (InActiveList) Conditions 

| =|± Active Lists 

Use the Active List selector to identify a particular active list that contains the argument for 

a condition. This condition evaluates whether an item or list of items is in an active list. You can use 
this to map a field or a global variable in the event schema to a corresponding field in an active list. It 
does not evaluate items in other non-event schemas (such as cases or assets). 

Comparing values in two lists: 

When the InActiveList condition is used to compare values in two lists, an additional option is shown 
where you can specify whether All values in list field must match. 

For example, suppose you have a fields-based multi-mapped active list that has User Name as a key 
field and accepts entries with multiple roles for the same user in the Role Name field: 

Inspect/Edit o' ? x 



Then suppose you set up an Active List (InActiveList) rule condition to compare the value of Role 
Name to a list type string field, like ActorByAccountID. FullName. If you then get list entries in your 
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active list (for example, user “Samantha Stevens” with roles as both “Administrator’ and “Development 
Lead”), then your rule results in a comparison of two lists: 

• The list of Samantha Steven’s roles 

• The ActorByAccountID. FullName list 



• If All values in list field must match is checked (selected), the Active List condition evaluates to 
true only if all values in both lists match (that is, all values must be in both lists for the condition to 
be true). 

• If All values in list field must match is not checked (de-selected), then if anyfield matches (is in 
both lists), the condition statement evaluates to true. This is the default behavior for queries. 


Note: When using the InActiveList condition, remember the following: 

■ The InActiveList condition evaluates single-value and multi-value attributes. The field you 
map could possibly return multiple values (for example, a user could have multiple roles). In 
the case of multi-value attributes, if any one value matches, the condition evaluates to true. 

■ A condition that tests for whether all or any values in a list match is only available to specify 
on in-memory operations (for example, in rules, filters, data monitors). 
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See also "Condition Tree Command Buttons" on page 866, "Condition Tree Context Menu Commands" 
on page 868, and "Adding Conditions" on page 872 under "Common Conditions Editor (CCE)" on 
page 864. 


Creating Matching or Join Conditions 

This topic applies to standard rules only. It provides examples for creating matching or join conditions 
and suggestions for optimizing the use of resources to process such rules. 

A matching or join condition is a condition statement that joins two data fields with the Matching or Join 
condition logic operator on the Conditions tab. Creating matching or join conditions using data fields 
provides the flexibility of creating conditions without knowing the specific data field's values. You can 
create the following join data field conditions: 

. Same data field for two events: EventOne <data field A> clogic operator> EventTwo <data 
field A>. For example, EventOne Source Address = EventTwo Source Address. In this 
example, both event data fields must have the same value. This rule is useful when monitoring 
activity from an unknown Source Address that is generating numerous events. 

• Different data fields for two events: EventOne <data field A> clogic operator> EventTwo 
<data field B>. For example, EventOne Source Address = EventTwo Target Address. In 
this example, the Source Address of the first event must equal the Target Address of the second 
event. 

. Different data fields forthe same event: EventOne <data field A> clogic operator> 

EventOne cdata field B>. For example, EventOne Source Address = EventOne Target 
Address. In this example, the Source Address must equal the Target Address of the same event. 


Note: There is a relatively high memory cost for join rules with low-selectivity join conditions 
(such as same source IP or same target IP). Just like queries in SQL, the more selective the 
conditions (the conditions on the individual events as well as the join conditions), the less 
expensive it is to execute, because fewer conditions match. 


You can dramatically reduce the correlation engine's memory consumption by as much as 50% in 
some cases through some techniques. When authoring a rule, you order conditions on the events to be 
correlated (or joined) by placing the most restrictive conditions first; for example, adding join conditions 
likeeventl's Source Address = event2's Source Address or event2 ' s Detect Time = 
eventl's Detect Time. 

If your condition specifies more than one event alias, you can set any or all of them with the Consume 
After Match flag. This means that if a matching event is found and the rule is triggered, the rule will not 
correlate the event any further. Without the Consume After Match flag, the event is kept in working 
memory even after a matching event is found and the rule has been triggered. The event alias continues 
to be combined with events matching other aliases until the event itself expires. 

If enabled, the Consume flag appears next to the event alias on the Conditions tab: 

EventOne (Consume after match) 
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Tip: See also "Optimizing the Evaluation of Event Conditions" on page 508. 

Note: Lightweight and pre-persistence rules have only one event, therefore, the Consume After 
Match option is not available. 


To create a rule with matches or joins (with two or more events): 

1. In the Rules resource tree, right-click a rule and choose Edit Rule. 

2. In the Rules Editor, select the Conditions tab. 

3. Select the Matching Event branch and: 

a. Select New Logical Operator. 

b. Select And, Or, or Not. 

c. Add the second event that is tied to the first event. 

When adding join conditions, you need to decide how the new condition ties to the existing events 
in the rule. If you use And, the new join condition must occur, in addition to the existing events, to 
trigger the rule. If you use Or, the new join condition or the existing events must occur. If you use 
Not, all but the new join condition must occur. The logical operator appears as a branch under 
Joins. 

4. Click the Join Condition button or right-click the logical operator and select New Join 
Condition. 

A condition statement appears, displaying event, data field, and logic operator text fields. These 
fields are combined to create <event> <data fie Ld> <Logic operator> <event> <data 
fieLd> condition statements. For example, if monitoring for the same Source Address data field in 
EventOne and EventTwo, the condition statement would be EventOne Source Address = 
EventTwo Source Address. 

5. Select one of the following join data field conditions to use in the following steps: 

■ When monitoring for the same data fields for two events use EventOne <data fieLd 
AxLogic operator> EventTwo <data fieLd A>. 

■ When monitoring for different data fields for two events use EventOne <data fieLd A> 

<Logic operator> EventTwo <data fieLd B>. 

6. In the text fields, choose an event and data field from the drop-down menus. 

Select data fields that you want to monitor but for which you don't have values. For more 
information, see "Data Fields" on page 885. 
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7. Choose a logic operatorfrom the drop-down menu. 

8. Choose an event and data field from the drop-down menus. 

9. Optionally right-click and select Consume After Match on one, some, or all of the event aliases. 
Doing so reduces the number of rule firings by using the matching event in only one join. 

10. Click OK. 

The join data field condition appears as a branch under the Matching Event logical operator. 

11. On the Conditions tab, click OK. 

See also "Condition Tree Command Buttons" on page 866, "Condition Tree Context Menu Commands" 
on page 868, and "Adding Conditions" on page 872 under "Common Conditions Editor (CCE)" on 
page 864. 


Editing or Deleting Join Data Field Conditions 

1. In the Rules resource tree, right-click a rule and select Edit Rule. 

2. In the Rules Editor, select the Conditions tab and do the following: 

■ To edit the logical operator, right-click the logical operator and select Edit or select the logical 
operator and press Enter. In the text field, select a logical operator and click OK. 

■ To edit the condition statement, right-click the condition statement and select Edit, or select the 
condition statement and press Enter. In the text field, make edits and click OK. For more 
information, see "Creating or Editing Rules" on page 495. 

■ To delete the Matching Event event, right-click Matching Event and select Delete. In the dialog 
box, click Yes. The event, its logical operators, and condition statements are deleted. 

■ To delete the logical operator, right-click the logical operator and select Delete. In the dialog box, 
click Yes. The logical operator and all its condition statements are deleted. 

■ To delete the condition statement, right-click the condition statement and select Delete. In the 
dialog box, click Yes. 

3. Click OK. 


Negating Event Conditions 

This information applies to standard rules. 

In addition to monitoring event conditions that occur, you can monitor event conditions if they don’t 
occur by negating these conditions. For example, you defined an event alias called BadgeScan because 
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you want to monitor badge scans before an application is accessed (for which you defined an event 
alias called Login). You negate the BadgeScan event and set the rule to trigger if BadgeScan does not 
happen before the Login event is reported. For such a rule, the events must have already happened 
(they are past events) before the rule is triggered. 

You can also negate a future event condition. For example, consider this sequence of events you want 
to monitor: 

1 . A server reboots (ServerReboot event). 

2. The server successfully comes up and is available again (ServerUp event). 

3. If the server does not come up, you want to be notified. 

In this case, you will negate the ServerUp event condition so that the rule is triggered if that event is not 
received (the server does not come up from a reboot) on the same device. A time out property is used in 
conjunction with negating an event condition. If the negated event is not received within the specified 
timeout, then the rule is triggered. For purposes of discussion, we will use the term “positive events” for 
events that are not negated. 

To negate event conditions: 

Note: Before following the procedures, make sure the rule has multiple event conditions so you 
can negate at least one. To create event conditions, see Creating or Editing Rules" on page 495. 


1. In the Rules resource tree, right-click a standard rule and choose Edit Rule. 

2. In the Rules Editor, select the Conditions tab. 

3. Right-click an event alias and select Negated. 

4. Right-click the negated event alias and select Set Negated Alias Timeout. 

5. In the popup, enter a Time Out value and specify the time unit in Seconds, Minutes, or Hours. 
Then click OK. 

Time Out is the amount of time to wait between the occurrence of the positive event and the non- 
occurrence of the negated event, after which the rule is triggered. 


Tip: More information on using Time Out: 

■ For the rule to fire, the "Alias Expiration" time for all positive event conditions must be 
greater than the negated event condition’s time out value. 

■ When the Time Out value is saved, you cannot change it unless you right-click the 
negated event, uncheck Negated, right-click the same event, and select Negated again. 
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■ Timeout values are cumulative. The rule will wait for the sum of the event timeouts before 
firing. See the description of the time out setting in "Aggregation Time Criteria" on 

page 513. 

■ If a rule has multiple negated event aliases, set the timeout of one negated alias to three 
minutes, then set the remaining timeout values to zero. For example, consider a rule with 
three event aliases: eventl is positive, event2 is negated with timeout = 1 minute, and 
event3 is negated with timeout = 2 minutes. The rule will not trigger until at least 3 minutes 
after eventl has been matched. Moreover, if the event expiration time (by default the 
aggregation time window) is only 2 minutes, the rule will not trigger at all because eventl 
will be removed from memory prior to the cumulative timeout. 


On the Conditions tab, the negated event is preceded by an exclamation point (!) and the time out 
period appears next to the event. The following example shows a five-minute time out period. 

\<EventName> (Time Out: 5m) 

6. To remove the Negated flag, right-click the negated event and select Negated again. 

See also "Condition Tree Command Buttons", "Condition Tree Context Menu Commands", and 
"Adding Conditions" under Common Conditions Editor (CCE). 


Optimizing the Evaluation of Event Conditions 

This topic is written for advanced content authors. The topic describes how to automate the 
optimization of event conditions to reduce impact on CPU usage. The feature applies to all rule types. 


Evaluating event conditions is one of the most resource-intensive operation in event processing. ESM 
evaluates event conditions in the sequence they appear on the rule’s Conditions tab. The following 
example shows event conditions: 


Outer - 
Nodes 




Inner 



Nodes 






„;‘f Event conditions 

e(}sa 


• Name Contains syn [ignore case] 

% Type = Base 

• Category Significance StartsWith /Compromise 

• Category Technique = /DoS 
$-!■ NOT 

L Qi InActiveListC/All Active Lists/ArcSight System/Tuning/Event-based Rule Exclusions’) 
all OR 

01 MatchesFilterC/All Filters/ArcSight Core Security /IDS -IPS Monitoring/IDS -IPS Events 0 
0 MatchesFilter(*/All Filters/ArcSight Foundation/Common/Device Class Filters/Firewall Events*) 


The outer and inner nodes indicate nested conditions. As far as resource usage is concerned, there are 
general guidelines on how to order these conditions from the most economical to the most expensive, 
and that is, put the least costly condition on top. However, this may not be enough; you must also 
consider the TRUE/FALSE rate and whetheryou are using OR or AND operators. 
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Automating Condition Optimization 

Requirement: To optimize the evaluation of event conditions, rules must be deployed in the Console’s 
Real-time Rules. 

ESM provides the ability to have event conditons evaluated and if necessary, re-sequence the 
conditions to be evaluated through this property setting in the server. properties file: 

rule.dm.optimize.evaluation=true 


This setting automates the process of evaluating and optimizing all of your deployed rules and data 
monitors. The optimization process occurs in memory and will leave your resources intact. If there are 
changes, for example, real-time rules are updated, or the userde-activates and then re-activates the 
rule, optimization runs again. 

The following line in server, log denotes the end of optimization: 

End of conditions optimization in <n> events 


Note: Refer to the ESM Administrator’s Guide’s Configuration section for more information: 

• For detailed instructions on how to add settings to the server . properties file, refer to the 
topic, “Managing and Changing Properties File Settings.” 

. For information on the server, log file, refer to the topic, “Configuring Manager Logging.” 


Tracing the Optimization 

The tracing feature described here is optional; however, if you want to use this feature, the condition 
optimization setting must be turned on first. The tracing feature enables you to capture information 
about how your rules were optimized. The information is stored in server . log . 

To use the tracing feature, add this property setting in the server, properties file: 

r ule. dm. trace. opt imize. evaluations rue 


This setting records in the server.log file the original sequence of conditions and how these 
conditions are re-ordered (optimized). 

To locate the information in the log file, search for the rule’s name. The following example shows the log 
statements that include the evaluated rule’s URI (shown to be under Real-Time Rules) and a sampling 
of the profiled values. The profile describes the average time in nanoseconds a specific condition took 
to process. The condition’s position is indicated by an index starting with position 0. The profile in the 
log indicates that the costliest condition at Index 4 took an average of 2,375 nanoseconds over a 
sampling of 23: 
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Standard Rule 

[2014-06-25 10:15:56,630] [ INFO 

] [default. com . arcs ight. common . simple rulesengine . engine . d] Optimizing /All Rules/Real- 
time Rules /Intrusion Monitoring/Attack Monitoring/DoS/SYN Flood Detected by IDS or 
Firewall 

Profiled values are 

[ Index=2, avgTime=366 / numSamples=23 , Index=3, avgTime=407 , numS ample s =23 , Index=l, 
avgTime=434 , numSamples=23 , I ndex=0 , avgTime=928 , numSamples=22 , In dex=5, 
avgTime=1793 , numSamples=23 , /lndex=4, avgTime=2375 , numSamples=23] "A 


The following lines indicate the order of conditions (denoted as nodes) as originally defined. Red 
numbers correspond to the index: 


Original nodes are 




Node 

name Contains "syn" 0 




Node 

type EQ "Base" 1 




Node 

categorySignificance StartsWith "/Compromise" 



Node 

categoryTechnique EQ "/DoS" J 




Node 

Not (<deviceEventClassId / name, attackerZoneName, 

attackerAddress 

/ 4 

targetZoneName, targe tAddress>InActiveLis t ( " 

H7nDOZBOBABCB337GCqa7qw== : /All Active 

Lists/ArcSight System/Tuning/Event-based Rule 

Exclusions : 

: : ” ) ) 


Node 

( ( categoryDeviceGroup StartsWith 

"/IDS" And 

type EQ "Base" 

And 5 

categoryDeviceGroup NE "/IDS/Host/Antivirus" 

) Or categoryDeviceGroup 

EQ 

"/Firewall" ) 





The following lines indicate the optimized order of conditions (denoted as nodes): 


Optimized nodes are 

Node 
Node 
Node 
Node 
Node 


categorySignificance StartsWith ’'/Compromise 1 ' Moved from position 2 
categoryTechnique EQ "/DoS" Moved from position 3 
type EQ "Base" Moved from position 1 
name Contains "syn" Moved from position 0 

( ( categoryDeviceGroup StartsWith "/IDS" And type EQ "Base" And 


categoryDeviceGroup NE "/IDS/Host/Antivirus" 
) Moved f rom position 5 


) Or categoryDeviceGroup EQ "/Firewall" 


✓'TTc 

( tc 

V 


ode : Not (<deviceEventClassId, name, attackerZoneName, attackerAddress , 

targetZoneName, targetAddress>InActiveList ( "H7nDOZBOBABCB337GCqa7qw== : /All Active 
Lists/ArcSight System/Tuning/Event-based Rule Exclusions:::" ) )Moved from position 4 


A 


Observe how nodes were moved up and down to indicate which conditions are evaluated first. Index 4, 
originally profiled as the costliest, is now evaluated last. 

To save a rule in its optimized state: 

If you are a content author, you can leverage this log information to modify your rule permanently. This 
procedure is optional. 

1 . Refer to the log. Re-order the rule conditions to match the optimized sequence. 

2. Save the rule in its optimized state. 

You may then disable the tool, described in "Disabling the Optimization Feature" on the next page. 
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Disabling the Optimization Feature 

Optimization runs only once on all existing rules, then the profiles for the evaluated rules are stored in 
the log file. However, if you change any deployed rule, evaluation and optimization runs again. 

Changes include adding and updating a rule, and disabling and re-enabling a rule. 

When you no longer need the optpimization feature, you can change the optimization setting to false in 
server . properties. 


Specifying Rule Thresholds and Aggregation 

Thresholds are defined as an aggregate number of occurrences within a time span. When a threshold is 
met, the rule triggers an action. 

The Rules Editor's Aggregation tab is enabled for standard rules only. It is disabled for lightweight and 
pre-persistence rules. 

Caution: If you set a rule to aggregate over fields of a multi-mapped active list or overlapping 
session list, the rule might fire multiple times, once for each field value in the corresponding list 
entries. The Console displays a warning to this effect when such a list field is selected in the 
Aggregation tab. 

We recommend that you do not set rules to aggregate over multi-mapped active list or overlapping 
session list fields, and also add entries to the same list in a rule action ("Adding, Editing, or 
Removing a Rule Action" on page 516). Setting both aggregation and rule actions to add entries to 
the same multi-mapped or overlapped list can cause the number of triggered rules to increase to an 
unmanageable level. 

Topics include: 

• "Setting or Changing Rule Thresholds" below 

• "Aggregation Time Criteria" on page 51 3 

• "Deleting Aggregation from a Rule" on page 515 


Setting or Changing Rule Thresholds 

1. In the Rules Editor, select the Aggregation tab. 

2. In the Number of Matches field, enter a number if you want more than one matching event. 

3. In the Time Frame field, enter an appropriate value and choose a time unit. 

4. If you want to aggregate on the basis of certain fields' content being distinct, click Add under the 
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Aggregate only if these fields are unique pane to select the fields to use. Select fields from 
global variables, field sets, and local variables. 


Tip: Fields are unique only when the combined value of all fields is unique. For example, 
suppose you wanted to aggregate on three fields: Event Name, Event Message, and 
Category Outcome, with a threshold of two matches. If you received two events both with 
values of Failed Login, Attempt, and Failure for these fields, respectively, these events 
would not be aggregated. 

However, if you received only one event like the first example, and another with values of 
Failed Login, Attempt, and Success, these two events would be aggregated because the 
combined value is not the same for the given threshold number of events. 

Aggregating on unique fields is applicable when you want to monitor widespread conditions, 
such as an attack on ten unique systems. 

You can use the rule action to set an event field with a unique aggregation field’s value. See 

"Set Event Field" on page 522 for details. 


5. If you want to aggregate on the basis of certain fields' content being identical, click Add under the 
Aggregate only if these fields are identical pane to select the fields to use. Select fields from 
global variables, field sets, and local variables. 

6. Click OK. 

The choices you make are expressed as a conditional statement in the Summary panel. 

Examples of Grouping Unique or Identical Field Values 

You can use aggregation techniques to group unique or identical field values and map them into an 
active list through the Add to Active List rule action (refer to the rule action, "Set Event Field" on 
page 522). 

For the examples here, assume there is an event-based active list that maps the following: 

IP Address = Source Address 

Name = Source User Name 

Consider a set of events with the following values: 


SourceAddress SourceUserName TargetAddress 

1.2. 3. 4 

sumerian 

2. 2.2. 2 

1.2. 3. 4 

agta 

2. 2.2. 2 

1.2. 3. 4 

sumerian 

2. 2.2. 2 
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SourceAddress 

SourceUserName 

TargetAddress 

1. 3.5.7 

trojan 

2. 2.2. 2 

1. 3.5.7 

agta 

2. 2.2. 2 


Case 1: Unique aggregation on one field 


You would like to capture the unique source addresses. The fields in your Aggregation tab would be 
something like: 

Aggregate only if these fields are unique: SourceAddress 
Aggregate only if these fields are identical: TargetAddress 

After aggregation and through the Add to Active List rule action, the active list entries would consist of: 


IP Address 

Name 

1.2. 3. 4 

sumerian 

1.3. 5. 7 

agta 


Case 2: Unique aggregation on two fields 


Using the same event set, this time the fields in the Aggregation tab would be: 

Aggregate only if these fields are unique: SourceAddress, SourceUserName 

Aggregate only if these fields are identical: TargetAddress 

With the Add to Active List rule action, the active list entries would consist of: 


IP Address 

Name 

1.2. 3. 4 

sumerian 

1.2. 3. 4 

agta 

1. 3.5.7 

trojan 

1.3. 5. 7 

agta 


Aggregation Time Criteria 

The ArcSight Console provides time-evaluation criteria that can affect event-occurrence aggregation 
and rule triggering. You apply these to rules through the Aggregation tab and the statement panel of the 
Conditions tab. 

Aggregation is based on an event's End Time value, not Manager Receipt Time. However, events are 
not kept in memory indefinitely, therefore if some events are received after a long delay (such as an 
hour or so), they will not be matched with events that have already been removed from memory. 
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Aggregation Time Criteria 


Criteria 

Application 

Time 

Frame 

Set on the Rule Editor's Aggregation tab, Time Frame establishes the time span for 
occurrence aggregation. Event-occurrence aggregation is always controlled by Time 
Frame. Secondarily, Time Frame becomes the default for global and alias expiration 
time, if these are not set separately. 

Note: You can set the Rule Action trigger On Time Unit in conjunction with the 
Aggregation Time Frame to limit the number of times a rule is triggered. See "Threshold 
Triggering Options" on page 518. 

Global 

Expiration 

Set on the Conditions tab, a global expiration applies to an entire rule. This is the 
amount of time that qualifying events for all aliases are retained in memory for 
evaluation, based on Manager receipt-time. Setting an alias expiration overrides a global 
expiration, if present. To set Global Expiration, right-click the rule's root node (Correlate) 
in the Conditions tab and choose Set Global Expiration Time. 

Alias 

Expiration 

Set on the Conditions tab, an alias expiration applies to a single event alias within a 
rule. This is the amount of time that a qualifying event for this alias (only) is retained in 
memory for evaluation, based on Manager receipt time. Setting an alias expiration 
overrides a global expiration, if present. To set Alias Expiration, right-click an event alias 
in the Conditions tab and choose Set Alias Expiration Time. 

An event with an expiration time is displayed with an indicator, for example: 

eventl (Wait time: 5m) 

To remove the alias expiration time, right-click the event alias and change the time to 0. 

Matching 

Time 

Set on the Conditions tab, a matching time creates a time-proximity comparison for 
multiple-alias rules, based on events' actual creation times. When two or more rule- 
condition aliases are present, a Matching Event node appears. You can right-click this 
node and choose Set Matching Time to require events' original timestamps 
(specifically, the event's original end-time) to fall within a range. Note that this time- 
proximity test is independent of and different than the memory-retention parameter set 
by global or alias expiration. 

Time out 

Set on the Conditions tab, you are prompted to set a time out value in seconds, 
minutes, or hours when you set an event alias to Negated. The time out begins after 
receipt of all positive events. If a negated event is not received within this time out 
period, then the rule is triggered. 

Note: If you have multiple negated events with different time out settings, the longest 
time out period takes precedence. 
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Deleting Aggregation from a Rule 

1. In the Rules resource tree, right-click a rule and choose Edit Rule. 

2. In the Rules Editor, select the Aggregation tab. 

3. In the Aggregate only if these fields are unique or Aggregate only if these fields are 
identical lists, select the fields to delete and click Remove. 

4. Click OK. 


Managing Rule Actions 

The Actions tab of the Rules Editor offers a consistent interface for defining actions to take based on 
the thresholds of the events that trigger them. 

In the Actions tab, you click the buttons in the top row to Add, Edit, or Remove event-action sets for 
rules. Click Hide Empty Triggers to hide or show triggers not currently used. 

Note: Rules, rule triggers, and rule actions can be enabled or disabled at various levels. The rule 
itself can be enabled or disabled, the trigger on a particular rule can be activated or deactivated, 
and a rule action associated with a particular trigger can be enabled or disabled. Details on rule 
triggers and rule actions are described in this topic. For more information and a summary, see also 

"Enabling and Disabling Rules" on page 497. 
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In the Rules “Actions" tab, you can define actions to take based on 
thresholds of the events that triggered them. In this example, "On 
First Event* is a trigger which is currently activated. The user has 
.configured an action associated with this trigger to add events to the 
specified active list. 

The Add list is expanded here to show all the actions you can 
configure for each tngger. 


Impect/ldtf 

if 9 x 

Evert Inspector QsJ Rde:BRWR test nie 

Attrfcutes Condbons Aggregation Actions Variables Notes 

id Add / X t^ide Cfnpty Tnggers 

On First Event I Active ] 


B U Add To Active list 


Resource: /A1 Active llsts/Personal/admn's Active UstsfVxk/s Watch list 

i!i On Subsequent f vents [ Active ] 

JJ On Every Evert 


On f»*t Threshold ( Active 

) 

Activate Trigger 

Id 

i- 



Set event Add 

lee* * I 

Send eo Coen view Operations 

X Remove 

Send Ho»ftcot»on 


Execute Command 

I 1 H cut 

Exea^ Connector Command 

% Copt 

Export to External System 

A Pe 

Case ► 


Actveust ► 


SeMonUet ► 



« 



✓ Test 


1 * 1 

Cancel 




Adding, Editing, or Removing a Rule Action 

Requirement: 

A rule must exist. See 'Creating or Editing Rules" on page 495 

To add or edit a rule action: 

1. In the rule's editor, display the rule's Actions tab. 

For standard rules, the first trigger, On First Event, is active by default. For other rule types, 
only the On Every Event trigger is active and all other triggers are disabled. 

For standard rules, select an applicable threshold trigger that is active. If the desired trigger is not 
active, right-click it and select Activate Trigger. 
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2. If you are adding an action, click Add , then 

■ For standard rules, choose an action from the available options. 

■ For lightweight rules, choose either Active List or Session List. 

■ For pre-persistence rules, only the Set Event Field action is available. 

If you are editing an action, click Edit to open that action's Add Action dialog box. 

3. If you are adding an action, in the Add “Action Name” Action dialog box, set the action's 
parameters, if present. 

If you are editing an action, change the action's parameters as required. 

Tip: You can use references to Velocity Templates as parameters for rule actions to derive 
values from event fields and variables. (See Velocity Templates" on page 1093.) 

See Rule Actions Reference" on page 520 for information about rule actions. 

4. Click OK to add the new action to the rule's threshold trigger. 

To remove a rule action: 

To remove a rule action, select an action below a trigger in the Actions tab and click Remove. 

Activating or De-activating a Rule Trigger 

When a trigger is activated, all enabled rule actions it contains are triggered when conditions are met. 

• To activate a rule trigger, select the trigger in the Actions tab and click Activate Trigger. 

• To de-activate a rule trigger, select the trigger in the Actions tab and click De-Activate Trigger. 

Enabling or Disabling a Rule Action 

For finer-grained control over which rules are triggered when, you can enable or disable a rule action 
associated with any of the triggers. 

• To disable an action, select an action below a trigger in the Actions tab and click Disable. 

• To enable an action, select an action below a trigger in the Actions tab and click Enable. 
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Threshold Triggering Options 

Consider the following factors for determining your triggering options: 

• The minimum threshold value you can set is 1. 

• Triggering actions on every or subsequent occurrence can quickly use up resources. Use these 
options conservatively. 

• For threshold-based triggers, only a single correlation event is triggered on receipt of any single 
incoming event, even if that event has an aggregated event count high enough to trigger multiple 
firings. This is by design to prevent excessive firings. For example, if a rule has a threshold of 10, an 
event with an aggregated event count of 200 triggers only one rule firing (not 20). 


Trigger Thresholds 


Trigger Threshold 

On First 

Event 

The first time rule conditions are met, overriding aggregation threshold settings. 

This is the default trigger. 

On 

Subsequent 

Events 

The second and subsequent times rule conditions are met (not the first), overriding 
aggregation threshold settings. 

On Every 
Event 

Every time rule conditions are met, overriding aggregation threshold settings. 

Note: This is the only trigger available for lightweight and pre-persistence rules. 

On First 

Threshold 

For the number of matches greater than 1 , the first time rule conditions and 
threshold settings are met. 

On 

Subsequent 

Thresholds 

For the number of matches greater than 1 , the second and subsequent times rule 
conditions and threshold setting are met, not the first. 

On Every 
Threshold 

Every time rule conditions and threshold settings are met. 
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Trigger Thresholds, continued 


Trigger 

Threshold 

On Time 

Unit 

Defines an action to take if the given threshold is met in the specified number of 

minutes specified. (When: On Time Unit: Every <NumberOfMinutes>). 

Notes: 

■ With On Time Unit (OTU), the minimum threshold value you must set is 2. 

This setting can work in conjunction with aggregation to limit the number of 
times a rule is triggered. For example, aggregation is set to 2 matches in 1 
minute and you get 50 matches in 1 minute (depending on how you set the rule 
actions). If you then specify the rule to trigger at On Time Unit = 1 minute, even 
if there were 50 matches in 1 minute, the rule would only trigger once per minute 
when the aggregation threshold is met. 

■ The list of correlated events attached to the On Time Unit trigger excludes the 
events composing the first threshold. For example, if the threshold is 2 and 5 
matching events are found, the first 2 events are excluded and only the 
remaining 3 are included in the list of correlated events. 

If you want to include the missing first two events for the threshold rule firing, 
you can additionally use these other triggers, On First Threshold or On Every 
Threshold' in conjunction with On Time Unit. In this case, you will not see the 
first two events as part of On Time Unit. Instead, the first two events will be 
part of On First Threshold or On Every Threshold. 

■ Activating On Time Unit does not imply that a rule is triggered on the first event, 
on subsequent events, or on every event that meets conditions. This 
specifically sets the rule to trigger for every given On Time Unit if aggregation 
thresholds are met. 

■ Be sure to set On Time Unit to less than or the same value as the Aggregation 
“Time Frame” (described in "Aggregation Time Criteria" on page 513) to prevent 
getting an extra correlation event for the rule itself. 
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Trigger Thresholds, continued 


Trigger Threshold 


On Time 
Window 
Expiration 


Expiration time of threshold settings 

When the On Time Window Expiration (OTW) trigger is activated, it includes an 
option to display a cumulative rule chain (a summary of triggered rules) at the 
end of the triggered rules list. 


By default, the cumulative rule chain option on an activated OTW trigger is off. To 
toggle the option between On and Off, right-click the active OTW trigger and select 
On or Off on the cumulative rule chain option as needed. 


j A| On Time Window Expiration [ Active ] Cumulative Rule Chain Is | On ▼ 

Off ^ 


On 


When an OTW trigger activates a rule, a correlation event is generated. If the 
cumulative rule chain option is on, the correlation event contains all the base 
events from the first threshold to the time window expiration. 

If the cumulative rule chain option is off, the generated correlation event contains 
events from the last threshold to the time window expiration. 

Limitation: Unique aggregation does not work with the On Time Window 
Expiration trigger if cumulative rule chain set to On. See "Setting or Changing Rule 
Thresholds" on page 51 1 for information on unique aggregation in rules. 


Rule Actions Reference 

For rule actions, consider the following factors: 

• Action sequence 

Add actions in the order in which you want them to be executed. For example, to set a static value 
in an active list, first add the action, Set Event Field; then add the action, Add to Active List. 

Note that the Editor display does not always match the internal representation of the specified order 
of rule actions. However, if you add rule actions in the proper order, that order is maintained 
internally. 

Actions added to a rule show up the first time in the order you add them. You can continue to modify 
these and they show up in this order. After you click Apply, the display reorders the actions so that 
Add to Active List shows up first even though the internal representation has not been modified. 
Even so, rule actions continue to work as expected unless you change the order. For example, if 
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you delete the Set Event Field action then add it back in after Add to Active List action is already 
configured, the rule actions are mis-ordered and do not trigger as expected. 

• Use of velocity expressions in rule actions involving lists 

• You can use references to Velocity Templates as parameters for rule actions to derive values from 
event fields and variables. (For additional details, see "Velocity Templates" on page 1093.) 

If you are using velocity expressions to derive values from variables and your rule is acting on an 
active or session list, perform these extra steps in conjunction with your action: 

1 . Aggregate over the fields of interest on the rule’s Aggregation tab. 

2. Use the Set Event Field action to set unused fields to the fields you specified for aggregation. 
Start with the $ symbol followed by the exact name of the variable but without any special 
characters like spaces and dots. For example, if the variable is ActorByAccountID.Last Name, 
you may use something like: 

$ActorByAccountIDLast_Name 


(2 Rule: rule using actorByAccount. . . 

* Attributes j Conditions [ Aggregation Actions Local Variables | Notes 

I M Add f Edit X Remove Move Up ▼ Move Down tS Hide Empty Triggers 

I A On First Event 

I A On Subsequent Events 
I A On Every Event 
I A On First Threshold 
— A On Subsequent Thresholds 

Al On Every Threshold [ Active ] 

P ^y Set Event Field Actions 

L deviceCustomString5 = $ActorByAccountIDLast_Name 
n Time Unit 

n Time Window Expiration - Cumulative Rule Chain Is Off 


3. Continue by specifying the list to be acted on by the rule. 

• Rule actions for lightweight and pre-persistence rules 

If you are creating or editing a lightweight rule, the rule can only act on active and session lists. If 
you are creating or editing a pre-persistence rule, the only available action is to set an event field. 

The following table contains rule actions that are available if you right-click a trigger on a rule’s Actions 
tab and select Add. 
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Rule Actions 


Expanded Menu 

Action Option Description 

Set Event 

Field 


Fill in a data field value for correlation events generated by 
the rule using one of these methods: 

• Choose from the drop-down list of compatible data fields 
for the value to place in the event field. This works for all 
field types. 

• Use an expression in the format @< event fieLdname> to 
set a string type field such as Device Custom Stringl 
with the value of a unique aggregation field. For 
example, if you are doing unique aggregation on source 
address, your value for Device Custom String 1 = 
@sourceAddress. Setting event field values for unique 
aggregation fields are only supported on these rule 
triggers: on first threshold, on every threshold, on 
subsequent threshold, on time unit, and on time window 
expiration. 

See procedures in "Setting or Changing Rule 

Thresholds" on page 51 1 for a description of unique 
aggregation fields. 

If the correlation event already has a value for the selected 
data field, that value is overridden with this rule action. 

Note: 

Set Event Field is the only available action for pre- 
persistence rules. If a pre-persistence rule calls the Set 

Event Field action, the modification is done to the incoming 
base event which has not yet persisted, instead of on the 
rule’s correlation event. 

Send to 

OpenView 

Operations 


Send the triggered rule's associated events to a special 
ArcSight SmartConnector within the Manager. The 
connector forwards the information to an HP OpenView 
Operations installation. 

This applies only where you have specifically integrated 
OpenView with ESM. Request the ArcSight Tech Note 
concerning HP OpenView Operations for more information. 
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Rule Actions, continued 


Expanded Menu 

Action Option Description 

Send 

Notification 


Send e-mail or cell phone messages to the ESM users in 
the notification group when rules are triggered. Specify a 
notification group in the Destination Group drop-down menu, 
then enter the notification text in the Message box. 

• Click Ack Required if you want to begin an escalation 
chain. In this case those notified must acknowledge that 
they received the notification. 

• If you do not select Ack Required, the message is for 
information purposes only and is displayed on the 
Notifications manager’s Informational tab. 

. For more information, see "Managing Notifications" on 
page 203. 

Execute 

Command 


Execute a command when the rule triggers. Select an 
operating system platform from the drop-down menu. 

• Enter the command string in the Command field. 

• Enter any required parameters in the Parameters field. 
Otherwise the command cannot execute without user 

intervention. 

Caution: Using parameters of Date/Time with the 
Execute Command requires that the variable name be 
within double quotes (“ ”). For example, to use $endT ime 
as a parameter to a command to be executed on a rule 
action, enter the parameter as “$endTime”. 

• Select the Action Type: 

Automatically run on manager: Execute the 
command at the ArcSight Manager without further 
intervention. 

Run on Manager with Console confirmation: 

Require an operator at a Console to approve the 
command before it executes. 

Run on connector(s): Send the command to the 
connectors that report the events. 
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Rule Actions, continued 


Expanded Menu 

Action Option Description 

Execute 

Connector 

Command 


Execute a SmartConnector command applicable to the 
device reporting the events. 

Select the SmartConnector to execute the command. After 
you select a connector, the command field is populated with 
the commands available for that connector. Only certain 
SmartConnectors can process commands beyond the 
basic set that all SmartConnectors support (start, stop, 
pause, continue, and terminate). This is similar to "Sending 
Control Commands to SmartConnectors" on page 163. 

Note: A rule action to execute TRM commands on the 
ArcSight NSP appliance is not supported. Use the URL 
command instead, as described in the section, "Integration 
Commands " on page 623. 

Export to 

External 

System 


Send the rule and the triggering events to an external 
system that is integrated with ArcSight. The export file in 

XML format is stored in the ArcSight Manager's 
archive/exports directory. 

Case 

• Create New Case 

• Add to Existing 

Case 

• Create a case when the rule is triggered. See 'Using a 
Rule to Create a Case" on page 527 for detailed steps. 

. Update an existing case. See "Using a Rule to Add to an 
Existing Case" on page 528 for detailed steps. 

When the rule is triggered, the correlation event is added to 
the case. The maximum number of rule-associated events a 
case can hold is 1000, as controlled by the default server 
property, rules. max_events_in_case. If this limit is 
reached, the Console sends a warning message and 
disables the action until the number of events in the case 
drops below the maximum. To decrease the number of 
events, manually remove them from the case. 

Tip: A suggested approach to creating and updating cases 
based on triggered rules is to: 

1 . Configure an action to create a case on first event or 
some other threshold, set the new case’s attributes, 
and then 

2. Add to that same case when subsequent events or 
thresholds are triggered for that same rule. 
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Rule Actions, continued 


Expanded Menu 

Action Option 

Description 

Active List 

Add to Active List 

Add the associated events to an existing active list that you 
select. 

Remove from Active 

List 

Remove the associated events from an existing active list 
that you select. 

Notes: 

• Add To Active List and Remove From Active List either take no arguments (if 
acting on an event-bound active list) or a list of event fields (if not dealing with an 
event-bound active list). The values from the specified fields (those specified either 
by an event-bound active list or by the argument list) form an item that is added to, 
or removed from, the active list. Removing an item that is not present does not 
cause an exception. Adding an item that is already present simply increments that 
item's counter. You can see this counter in the Active Lists Editor. (See "Active 
Lists" on page 787 and "List Authoring" on page 469 for more information.) 

. When you are specifying fields to be added to or removed from the active list, you 
have the option to select local variables from the Fields tab or global variables from 

the Global Variables tab. 

• For lightweight rules, only the Active List and Session List actions are enabled. 

. See the Caution box in "Specifying Rule Thresholds and Aggregation" on page 51 1 

about aggregation settings combined with rule actions that add entries to multi- 
mapped active lists and overlapping session lists. 

• See also "Use of velocity expressions in rule actions involving lists" . 
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Rule Actions, continued 


Action 


Expanded Menu 
Option 


Description 


Session 

List 


Add to Session List 


Terminate Session List 


Add the associated events to an existing session list that 
you select. 


• Add the events to the session list when a session 
terminates. 

• Terminate the oldest session. If checked, the oldest 
session is added to the “terminate” session list. Oldest 
time is based on the session's Start Time. 


Add "Terminate Session List" Action 


<- 

When: On First Event 
Session List: 


m 


Jings User Sessions 


( □only Terminate Oldest Session^ 


Session Field Mapping 

To terminate a session , match session key fields to event fields and set a session end time. 

Note: ^pcqmrneded^nd,Time y^lue is End Time* - \ ^ ^ 


Notes: 


When you are specifying fields to be added to the session list, you have the option 
to select local variables from the Fields tab or global variables from the Global 
Variables tab. 

For lightweight rules, only the Active List and Session List actions are enabled. 

See the Caution box in "Specifying Rule Thresholds and Aggregation" on page 51 1 

about aggregation settings combined with rule actions that add entries to multi- 
mapped active lists and overlapping session lists. 

See also "Use of velocity expressions in rule actions involving lists" on page 521 . 


Asset 


Add Asset Category To 
Asset 


Remove Asset 
Category From Asset 


Add the asset category to the associated asset. 

This supports the automated discovery and categorization 
of assets (web servers, mail servers, firewalls, and so forth) 
based on the type of events each asset is sending. Rules 
can be constructed to listen for certain types of events, and 
then categorize the associated asset appropriately. 

You also set up a condition based on which to remove the 
asset category from the asset , described next. 


Remove the asset category from the associated asset. 

This supports automated categorization (or de- 
categorization) of assets along with the rule action to add an 
asset category (described previously) to this asset. 
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Note: Duplicate rule actions after a crash recovery: 

If you stop ESM, it takes a checkpoint of the rules engine so that it knows what actions have been 
performed and where it stopped. If ESM crashes in such a way that it cannot take a checkpoint 
(during a power failure, for example), it returns to the last checkpoint when ESM restarts, and 
replays events from there. Any actions that occurred between that checkpoint and the ESM crash 
are therefore repeated. Repeated actions that generate audit events generate duplicate audit 
events. 

You should investigate repeated actions that do not duplicate well. For example, if an action adds 
an item to an Active List, that item’s counter will be incremented. If the action runs a command, it 
will run the command again, and so on. 


Applying Rule Actions on Cases 

This topic covers details on rule actions to create or update a case. 

Using a Rule to Create a Case 

The Create a New Case Action panel provides all fields necessary to set case attributes. The 
following example shows that creation of the case is based on the On First Event trigger for this rule: 


•?C Add "Create New Case" Action 

When: On First Event 



Name: 

Description: 


Group: 

Owner: 


Suspidous Login Attempts SattackerAddress 




Logins 

▼ 

admin 

- 


J Indude Base Events in Case 


More Attributes: 


Initial Follow Up i Final 



Attributes Description | Security Classification 



B Ticket 

Ticket Type 

(Internal 

▼ ] 

Stage 

Queued 


Frequency 

0-0<1 


Operational Impact 

0-No Impact 


Security Classification 

1-Undassified 


Consequence Severity 

0-None 



[ OK | [ Cancel | | Help ] 


When you use a rule to create a case, you are required to give the case a name. It is possible that your 
organization has customized the Case resource so that additional fields are mandatory. If so, note that 
the rule will not check for the additional mandatory fields, and the rule will not fail if you do not set 
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those mandatory fields with this rule action. You should therefore remember that after the rule creates 
the case, the case owner is responsible for editing and setting the other mandatory fields. 

To apply the Create New Case rule action: 

1. Required: Provide a name for the case. 

You can name a case in conjunction with an existing field value from an event. For example, you 
want your action to create a new case called Suspicious Login Attempts based on a value in the 
event field, Attacker Address. For this scenario, your case name’s format will be Suspicious 
Login Attempts $attackerAddress. 

2 . Specify a case group and owner. 

3. Optionally choose Include Base Events in Case. This means that when the rule action is 
triggered, both correlation events and the correlated base events that triggered the rule will be 
added to the case’s Events tab. 

4. Specify the case’s attributes when the rule is triggered. For information on case attributes, refer to 

"Creating or Editing a Case" on page 596. 

For multi-line text fields, the value specified in this rule action will be appended to the existing 
values, but only if the new value being appended is unique. For example, your multi-line Attacker 
Address field has these IP addresses: 

192 . 0 . 2.0 

192 . 0 . 2.9 

192 . 0 . 2.24 

If the rule action is to set the field with Attacker Address = 192 . 0 . 2 . 9 , this value will not be 
appended because the value is already in the field. 

Using a Rule to Add to an Existing Case 

The Add To Existing Case Action panel provides all fields necessary to change case attributes. The 
panel does not fetch current values of the existing case. Instead, the default selection is Keep existing 
value. Remember that you are defining the rule to keep or change certain case attributes when the 
action is triggered, whatever the case attributes are at that time. 
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To apply the Add To Existing Case rule action: 

1 . Specify a case by choosing one of two options: 

■ Select an existing case. Use the Case drop-down menu to navigate the Cases resource tree 
and select the case. 

Caution: Make sure the case is not locked when the rule triggers; otherwise, the rule fails. 
However, even if the rule fails, correlation events are still added to the case because the 
addition of events does not alter the case resource itself. 


■ Select Calculate case name dynamically to specify a case defined in another rule action. 



This setting does not require an existing case. If the case does not yet exist, the case is created 
when the rule is triggered. 

For the dynamic case name, specify the name based on the same case name you provided in 
the other rule action that creates the case. An example of a dynamic case name is one that 
includes a variable. In the example, GetMonth is a variable name, and so the dynamic name 
entry is Suspicious Login Attempts $GetMonth. If your variable name has spaces, replace 
the spaces with the underscore character. For example, if your variable is Get Month, then your 
case name is Suspicious Login Attempts $Get_Month. 

2. Optionally choose Include Base Events in Case. This means both correlation events and the 
correlated base events that triggered the rule will be added to the case’s Events tab. 

3. Specify the case’s updated attributes when the rule is triggered, or keep the existing values. For 
information on case attributes, refer to "Creating or Editing a Case" on page 596. 

For multi-line text fields, the value specified in this rule action will be appended to the existing 
values, but only if the new value being appended is unique. For example, your multi-line Attacker 
Address field has these IP addresses: 

192 . 0 . 2.0 

192 . 0 . 2.9 

192 . 0 . 2.24 

If the rule action is to set the field with Attacker Address = 192.0.2.9, this value will not be 
appended because the value is already in the field. 
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Converting Rule Types 

Converting a lightweight or pre-persistence rule to standard rule is straightforward: On the rule’s 
Inspect/Edit panel, Attributes tab, choose the standard rule type. This makes all features for standard 
rules available. You then add join conditions, change aggregation settings, and define actions on 
various types of triggers as required by the new standard rule. 

Converting a standard rule to lightweight or pre-persistence rule requires that the rule must first meet 
the converted rule’s requirements; otherwise, the rule you are converting will not be saved. See "Rule 
Types" on page 494 for each type’s features. 

To convert a standard rule to a different rule type: 

1 . Make sure your standard rule already complies with the target rule type’s requirements. For 
example, one of the requirements for a lightweight or pre-persistence rule states that the rule to be 
converted must have only one event condition. Refer to "Rule Types" on page 494 for more 
guidance. 

2. In the Rules resource tree, right-click the standard rule you want to convert and choose Edit Rule. 

3. In the Rules Editor, select the Attributes tab and change the Rule Type to Lightweight Rule or 
Pre-Persistence Rule. 

The Aggregation tab is disabled. 

4. In the Conditions tab, make sure that only one condition exists. 

5. In the Actions tab: 

a. Make sure that On Every Event is active and the other triggers are inactive. 

b. For conversion to lightweight rules, make sure that the action is on an active or session list. For 
conversion to pre-persistence rules, the only allowed action is Set Event Field. Disable other 
actions. 

The old settings of this former standard rule (aggregation thresholds, de-activated triggers, and 
disabled actions) will be restored when the rule is converted back to standard. 

6. Save your converted rule. 


Testing Rules 

This information applies to standard rules. 

You can test standard rules against copies of active channels for valid conditions logic, verify that rules 
are triggered by the events they are supposed to capture, and that they generate correlated events as 
expected. 
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The ArcSight Console provides two different ways of getting to tools for testing and verifying rules 
against events before deploying the rules in real time: 

• Test a single rule from within the rule editor by clicking the Test button. 

• Test rules and rule groups from the navigation tree with the Verify Rules with Events option. 

These options are somewhat similar. They differ in the navigation paths to select or set up the 
channels, and more importantly in that from the rule editor you can test only the selected rule but from 
the navigation tree you can test several selected rules or rule groups. This Help topic explains how to 
test a single rule from the rule editor. See also 'Verifying Rules with Events" on the next page. 

Note: Keep in mind that only rules deployed in Real-time Rules act on live events and show up in a 
live channel when they are triggered. For more information, see "Deploying Real-time Rules" on 
page 536. 


Testing a Rule from the Rule Editor 

1 . Choose the Rules resource in the Navigator, and select the rule you want to test. 

2. Right-click and choose Edit Rule to bring up the Rule editorforthat rule in the Inspect/Edit panel. 

3. In the editorforthe selected rule, click Test. 

This brings up the Test Rule dialog where you can choose an existing active channel or create a 
new channel in which to verify the rule. 



4. Select either New Active Channel or Select an Active Channel depending on whether you want 
to test the rule in a new or existing channel. 

You can set override channel filters on either a new or existing active channel. 

If you choose Select an Active Channel (which means you are opting to use an existing channel 
rather than create a new one), an in-line browser is displayed where you can navigate to and 
choose an existing channel. 
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5. Once you have set up the channel, click OK. (If you need more help on setting up channels, see 

"Viewing and Using Channels" on page 211. 

The channel is displayed in the Viewer panel. 


Showing Rule Errors 

If rules have errors, the rule icon (f) changes to indicate it. 

In the Rules resource tree, right-click the rule-error icon and choose Show Error. The error appears in a 
dialog box. 


Verifying Rules with Events 

This topic applies to standard rules. ArcSight Console provides two different ways to test or verify rules 
before deploying them. These options are somewhat similar. They differ in the navigation paths to 
select or set up the channels, and more importantly in that from the rule editor you can test only the 
selected rule but from the navigation tree you can test several selected rules or rule groups. 

The first method is discussed in "Testing Rules" on page 530. This topic explains how to test multiple 
rules or rule groups from the navigation tree using the Verify Rule(s) with Events option. 

You can test rules by running them against a set of captured events for historical analysis. Now you 
can replay events to verify rules in existing active channels or create new channels for this purpose. 
Also, you can select a single rule, multiple rules, or a rule group to verify. 

Tip: About Test Channels: A lightning bolt .-ton a channel indicates it is a test channel created 
as a result of choosing Verify Rules with Events on a rule. Test channels cannot be re-used, 
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even for the same rule. Remove test channels from the Active Channels folder in the Navigator. 

Alternatives to Test Channels: If you would like to re-use a channel to test various rules, create 
a standard active channel, for example, “My Rules Test Channel” (see "Creating or Editing an 
Active Channel" on page 213), then send rules test results to that channel. You can re-use a 
standard channel as many times as you want to test rules (that is, verify rules with events). 


To verify rules with events: 

1. In the Rules resources tree, right-click an appropriate rule group ora specific rule and choose 

Verify Rule(s) with Events. 

2. From the sub-menu, choose More or New Active Channel: 

More. This displays the Active Channel Selector dialog. Use this dialog to navigate to the 

channel you want. 

r 

Active Channels Selector 



If you want to redefine or further narrow the stream of events in the selected channel, click the 
Override Channel Filter tab to add filters to it. The Override Channel Filter tab shows the 
conditions on the currently selected channel. You can add, remove, or modify the filters here. 
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Click OK to choose the selected channel with filter modifications (if any). The selected channel 
is displayed in the Viewer panel. 


Note: Filters shown on rule verification channels are not designed for copying and re-use 
outside of these special rule testing channels. Rule verification channels show rule- 
triggered events and other non-correlation events in the channel, but the complete filtering 
logic that accomplishes this is not exposed. 

Filter conditions on these channels display the original filter (if one is applied) and “Session 
ID > 0". The session ID statement is a simplified representation of the back-end filtering 
taking place in the special rule verification channel to limit this particular channel to show 
only new rule-triggered events. 


■ New Active Channel... 

Selecting this option brings up a dialog where you can set up the parameters for the active 
channel that displays the rules in action. Provide a name for the new channel and set the other 
channel options as described in "Viewing and Using Channels" on page 21 1 . 
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Channel Name: 

Start Time: [ $Now - 2h ^ | . . ■ End Time: | $Now 

Use as Timestamp: Q 



(•) Evaluate time parameters once at attach time 
Filter: Select a Filter ▼ Define... 

Fields: [select a Field Set ^ Define... 

-Selected Rules and Rule Groups 

The following rules and rule groups will be used for your replay: 

/All Rules/Personal/Vicky's Rules/ 

Note: 

For time ranges over a day, the end time wHi be evaluated in hourly basis . . 


Selected Rules and Rule Groups a. OK Cancel 


Click OK to create the new channel with your chosen settings. The new channel is displayed in 
the Viewer panel. 


Viewer ri 1 ? x 


I) © Rules Tests | 


(7J Active Channel: Rules Tests 

Total Events: 132 — 


Start Time: 14 Jan 2009 18:49:41 PST 
End Time: 14 Jan 2009 20:49:41 PST 

Filter: Session ID > 0 

Inline Filter: No Filter 
Verified Rules: [VPN Events] 


Radar Events Correlated : 100% — 



* 

End Time * { 1 

Name ▼ 

Attacker Address ▼ 

Target Address ▼ 

Priority ▼ 

Device Vendor ▼ 

Device Product w 


* 

14 Jan 2009 20:49:38 PST 

VPN Events 



( 7 : 

ArcSight 

ArcSight 

- 

* 

14 Jan 2009 20:49: 19 PST 

VPN Events 



( 7 l 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:48:54 PST 

VPN Events 



r 7 i 

ArcSight 

ArcSight 

= 

* 

14 Jan 2009 20:48:35 PST 

VPN Events 



( 7 1 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:47:27 PST 

VPN Events 



f 7 I 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:46: 13 PST 

VPN Events 



< 7 ) 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:45:05 PST 

VPN Events 



( 7 1 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:43:57 PST 

VPN Events 



( 7 i 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:42:46 PST 

VPN Events 



f 7 ” i 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:42:27 PST 

VPN Events 



( 7 1 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:42:02 PST 

VPN Events 



f 7 -1 1 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:41:43 PST 

VPN Events 



f 7 j 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:41:19 PST 

VPN Events 



( 7 I 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:37:02 PST 

VPN Events 



( 7 I 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:35:48 PST 

VPN Events 



( 7 1 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:35:29 PST 

VPN Events 



f 7 : ) 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:35:02 PST 

VPN Events 



f 7 : I 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:33:48 PST 

VPN Events 



f 7 i 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:33: 18 PST 

VPN Events 



( 7 I 

ArcSight 

ArcSight 


* 

14 Jan 2009 20:33:05 PST 

VPN Events 



1 7 ~) 

ArcSight 

ArcSight 

— 

* 

1 4 Tan ?mQ ?n-.Tl '4 ft PST 

VPM-Fujents: 



■» > 

ArrSinht 

ArrSinht 



l. [jp Grid [ 


Very High: 0 
High: 132 
Medium: 0 
Low: 0 
Very Low: 0 


Unlike existing active channels, channels created as for rule verification purposes have a fixed time 
window (they become static) for qualifying events, and the events are those that qualify under the rules 
in the selected group. These active channels incorporate the conditions, aggregation characteristics, 
and actions defined for the rules in the selected group. 

Note: Rules tested against pre-existing active channels are actually executed on copies of active 
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channels the system automatically generates for this purpose. Rules run in verify mode do not 
generate real rule actions correlated with live or historical system events and, therefore, when they 
are triggered no real rule actions are impacting the system state. Only real-time rules or scheduled 
rules (set up to capture batched and other types of historical data) trigger real rule actions. 

Once you have created and verified rules and are ready to deploy them on real-time events, move 
or copy the rules to your userfolder under Real-time Rules. For more information, see Deploying 
Real-time Rules" below and "Scheduling Rules" on page 539. 


Deploying Real-time Rules 

After you have created and verified rules and you are ready to deploy them on real-time events, move or 
copy the rules to your userfolder under Real-time Rules. 

Rules run in verify or test rule mode do not generate real rule actions correlated with live or historical 
system events and, therefore, when they are triggered no real rule actions are impacting the system 
state. 

Only real-time rules show up in a live channel, generate correlation events, and trigger real rule actions. 

Note: A special category of rules called scheduled rules can capture batched and other types of 
historical data, generate correlation events, and trigger real rule actions. These act similar to real- 
time rules, but are deployed differently. They are evaluated according to a schedule, and trigger off 
of historical/past events. See 'Scheduling Rules" on page 539 for more information. 

Topics include: 

• "Deploying a Rule" below 

• "Removing or Un-deploying a Rule" on the next page 


Deploying a Rule 

In the Navigator panel's Rules resource tree, right-click a rule or a rule group (folder) and choose 

Deploy Realtime Rule(s). 

The rules you deploy are linked into the Real-time Rules folder (Shared/All Rules/ Real-time Rules). 
This means that if you change something in the working copy of a rule (in your userfolder), those 
changes also take effect in the deployed rule and vice versa. 

You can also manually copy, link, or move rules from your working userfolderto a userfolder in Real- 
time Rules. To do this, click and drag a rule or rule group to the Real-time Rules folder, then choose an 
option in the dialog (Copy, Link, or Move). Using this method of deploying real-time rules is useful if you 
want to copy or move the rules rather than link them. 

If a rule is already enabled ( 2), it is deployed as enabled. If a rule has been disabled ( — I ) during testing 
phase, it is deployed into real-time rules but remain disabled until you enable it. Rules must be both 
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enabled and deployed in real-time rules to take effect in the live system. (If you enable or disable a 
deployed, linked rule in the original location it is also enabled or disabled in real-time rules and vice 
versa.) For more information, see "Enabling and Disabling Rules" on page 497. 


Removing or Un-deploying a Rule 

You can remove rules from the Real-time Rules folder, thereby “un-deploying” them from the live 
system. 

To un-deploy a rule (beyond disabling it), select the rule in the Real-time Rules folder, right-click, and 
choose Delete Rule from the context menu. 

Depending on whether the rule was linked, moved, or copied into the Real-time Rules folder, you get 
different options at this point. 

• If the rule has been moved or copied into your working folder, you get an option to remove it or to 
cancel the operation. 

• If the rule is a link to the original rule in your working folder, you get options to remove it from this 
group only, delete it entirely from all locations, or cancel the operation. (A linked file is treated as a 
single entity, so edit actions taken on the file in any location affect all instances of it.) 


Managing Rule Groups 

Rule groups are created to store similar groups or rules in a single location. Groups can be created 
within groups to meet enterprise needs. You can have a combination of standard and lightweight rules 
in the same rule group. Because you cannot schedule pre-persistence rules, keep them in the same 
rule group which you would not schedule. 

Caution: Do not exceed more than 10,000 resources in a group. 

Move and copy groups and rules on the Rules resource tree with the drag and drop functionality. If you 
delete a group, the rules within that group are also deleted. 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 


To create a rule group: 

1. In the Navigator panel's drop-down menu, choose Rules. 

2. In the Rules resource tree, right-click a group and choose New Group. 
A New Group text field appears under the group you selected. 
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3. Type the new group’s name in the text field. 

4. Press Enter. 

5. Refer to 'Scheduling Rules" on the next page to add entries in the group’s Jobs tab. 

To rename a rule group: 

1. In the Rules resource tree, right-click a group and choose Rename. 

2. In the text field, enter the group’s new name. 

3. Press Enter. 

To edit a rule group: 

1. In the Rules resource tree, right-click a group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text fields. 

3. Optionally, you can designate owners of a rule, and specify user groups that are notified of rules 
changes. 

4. Click OK. 

5. Refer to 'Scheduling Rules" on the next page to add or edit entries in the group’s Jobs tab. 

To move or copy a rule group: 

1. In the Rules resource tree, navigate to a group and drag and drop it into another group. 

2. Choose Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you select Copy, you create a separate copy of the group that is not affected when the original group 
is edited. If you select Link, you create a copy of the group that is linked to the original group. 
Therefore, if you edit a linked group, whether it be the original or the copy, all links are edited as well. 
When deleting linked groups, you can either delete the selected group or all linked groups. 

To delete a rule group: 

1. In the Rules resource tree, right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 
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Importing and Exporting Rules 

Rules are created in a readable XML format. You can export a rule or rule group to an external file to 
modify it. After modification, you can import it back into the ArcSight Manager. 

Tip: To import and export rules, use the packages feature. Packages supersede the import/export 
facility provided in previous ESM releases and offer enhanced functionality, including version 
support, dependency management, and import/export capabilities. Portable ArcSight packages 
can automatically manage dependencies across resources and other packages. Please see the 
information on packages in "Managing Packages" on page 693. 


Scheduling Rules 

You can schedule rules to run at a specified time interval such as hourly, daily, or monthly. 

Scheduled rules are a useful alternative to real-time rules in situations where you want to deploy rules 
that take into account historical data along with live data, or when you simply want to control when the 
rules are run. The scheduled rules engine can process historical data, take real actions, and generate 
correlated events which are the same as those generated by the real-time rules engine. 

Consider the following points when scheduling rules: 

• Scheduling does not apply to pre-persistence rules. If an unscheduled rule group includes pre- 
persistence rules, the Console prevents you from scheduling that rule group. However, scheduling 
is at the group level. You can still schedule a parent group even if one or more of its child groups 
contain pre-persistence rules. 

• Don’t use past start and end dates for your rule schedules. The rule will not run because the 
scheduler assumes that the job is finished. 

• After a scheduled job has run once, it will not run again even if you change the schedule’s start time 
and try to rerun it. Remove the old schedule and create a new one in this case. 

• If you are interested only in historical data and you use a past start time and no end time, the rule 
will be in “catch up” mode. The rule will execute on all the data from the start to the current time, not 
only on historical data. 

Topics include: 

• "Scenarios for Using Scheduled Rules" on the next page 

• "Scheduling a Rule Group" on page 541 

• "Example of a Scheduled Rule (Badge Swipes and Logins) " on page 543 
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Scenarios for Using Scheduled Rules 

Batched events: 

In many environments, certain types of events are not immediately available to the Manager, but 
instead are sent in batches infrequently: sometimes once a day or once a week. Such events have 
different Manager receipt times and end times. Manager receipt times are current (when the batches 
are submitted), but the event end times are in the past, since the events have actually happened in the 
past. Common examples of events that are sent in batches are those involving physical security 
devices, and represent individuals gaining entry to buildings or offices by means of badge readers and 
card keys. 

Since these events (like an employee entering an office) arrive late to the Manager, they cannot be 
effectively correlated with other events (like a user login) by typically deployed rules that use the real- 
time rules engine. When the real-time rules engine receives login events, it waits for 1 minute (or 
whatever the time window for this rule is) and then discards that login event, since the other event did 
not arrive within rule's time window. Consider a rule that looks for a badge swipe event and a login 
event within 1 minute of each other (aggregates on 1 minute). The login events are received by the 
Manager in real time as they occur. But the badge swipe events are collected and submitted only once 
a day at 10 p.m. 

A real time rule would not correlate the two events because it would discard the login event before it 
ever gets the batched event. But if you scheduled your rule to run at midnight with the scheduled rules 
engine, it could correlate the actual end times of batched events and login events that occur within 1 
minute of each other. Scheduled rules can correlate these types of events because (a) rules can be 
scheduled to run when both the login and batched events are available within the database and (b) 
although the Manager receipt times for these events would be different, their end times are close 
together within the aggregation window. Correlations are based on end times of events. 

Historical data: 

You may want to capture and correlate other kinds of historical data (other than batched events). For 
example, if you have observed a pattern of events over the last several weeks, decide to write rules to 
take actions on some of those events, and correlate not only future occurrences of them but also the 
past events. This is possible to do by specifying the desired date range in the filterforthe schedule, for 
example, a filter that specifies manager receipt time (MRT) to be between a past date range. 

Optimized rule schedules: 

Another scenario in which you might want to use scheduled rules is for rules that are more appropriate 
to run after business hours (for example, in the middle of the night). The job scheduler on rule groups 
lets you specify the appropriate schedule, and the rules are deployed as correlated events but are 
executed on off-hours. 

In all such cases, scheduled rules generate correlation events and take real actions when triggered, 
just like deployed real-time rules. 
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Note: Although scheduled rules that correlate batched events work in part with historical data, 
these are deployed rules (not tests) that take actions as appropriate and do affect the live system. 


Scheduling a Rule Group 

1 . Click the Rules resources on the Navigator. 

2. Identify the rules you want to schedule. (For information on how to create new rules, see 

"Managing Rules" on page 495.) 

3. If these rules are not already in a rule group, create a new rule group and link or move rules into it. 
(For information on how to create and work with rule groups, see Managing Rule Groups" on 
page 537.) 

4. Select a rule group, right-click, and choose Edit Rule Group from the context menu. 

5. Click Jobs in the Rule Group editor. 

6. Add a job, name and describe it, and specify a schedule on which to run the rule group. 

7. Specify a filter for these rules. By default, the filter is set to All Events. Click Filter Results by to 
refine the filter to display only events relevant to the rule. Narrowing the filter optimizes 
performance when the rule is run. 
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Double-dick to modify the default job name and description, or 
click Add to add a new scheduled job. 

, — Click the Hourly link in the Summary to bring up the Job 

Frequency dialog where you define the schedule frequency and 
range of the Job (start/end dates). The rule schedule can have an 
end date or be defined to run indefinitely. 

Inspect/Edit o’ ? x 

| Event Inspector Q Group: Scheduled Badge Entry an. . . 

Attributes Jobs | Notes 
• — q Add X Remove O Frequency 

Jobs Description 



[ OK | [ Cancel | [ Apply | | Help | 



8. Click Apply or OK to deploy. 

The rules are deployed according to the schedule specified in the Rule Group editor on the Jobs tab, 
and are triggered if the rule conditions are met. 

Note: You cannot schedule a single rule outside of a group, but you can schedule it as a “group of 
one” contained in a folder. To schedule one or more rules, place them in a folder. Multiple rules in 
the same folder run together per the schedule as part of the rule group. 
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Example of a Scheduled Rule (Badge Swipes and 
Logins) 

This example applies to standard rules. The following shows the conditions statements for a rule that 
correlates Badge swipe events that are sent to the Manager in a batch file once per day; with login 
events that are sent to the Manager frequently in real-time. The example rule looks for an event with 
“swipe” in the name and an event with “login” in the name. 

Example Scheduled Rule: Condition Statements 

Rule has condition that matches badge swipe 
entry with login event. (Shown here on both 
Conditions Edit and Summary display tabs.) 




This rule sets an aggregation time window to correlate these events at 2 minutes. This means that a 
login event (end time) must occur within 2 minutes of a badge swipe event (end time) in order for the 
rule to be triggered. 
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Example Scheduled Rule: Aggregation 



The rule aggregates on 1 or more matching conditions 
within a 2 minute time window. A badge swipe and 
login entry must occur within 2 minutes of each other 
to be correlated and trigger the rule. 


Note that if you deploy this rule in real-time rules, the rule is not triggered to capture the events you 
want to correlate. Although the badge swipe events are actually occurring within 2 minutes of login 
events (according to event end times), the ArcSight Manager Receipt Time for badge swipe events is 
always hours later (whenever they are submitted as batched events). In this kind of scenario, the real- 
time rules engine would never correlate these events because the badge swipe events (with late 
Manager Receipt time) would be read in so much later. 

If, however, you deploy this as a scheduled rule to run on a nightly basis, the rule is triggered and 
capture the correlated events. This is because the scheduled rules engine is designed to correlate 
historical data with live data. 

T o configure this as a scheduled rule, you would create a new folder (group) for it under Rules 
resources in the Navigator, link or move the rule into the folder, then edit the rule group to add a 
scheduled job (on Jobs tab). The job schedule defines when the rule runs. Once the job schedule is 
applied to the rule group, the rule is deployed as a scheduled rule. 
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To create and test the example rule: 

1 . Create a rule called Badge Entry and Logins. 

2. On the Conditions tab for this rule, set a condition to look for two events joined by AND; an event 
with swipe in the event name and an event with login in the event name. 

3. Save the new rule. 

4. Create a new rule group folder called Badge Entry and Logins and link or move the rule into that 
folder. 

5. Edit the Badge Entry and Logins rule group to add a scheduled job for the rule of the same 
name. 

6. Save the new rule group. 


The rule is deployed after you save the rule group with the scheduled job. 

Fortesting purposes, schedule the job to start in 5 minutes from the current time and then use the 
ArcSight Test Alert connector to test sending events to the Manager with end times within two minutes 
of each other and different Manager receipt times. (For example, to model a real-world scenario: set 
Manager receipt time for badge swipes to several hours later than for logins.) 

Make sure that the start time of your scheduled job is earlier than the event end times on your test 
events (so that the scheduled job is running to capture the events). You should see the scheduled rule 
triggered on correlated events. 


Start Time on Example Scheduled Rule is Set Earlier than End Times of Events 


start 


Scheduled Rule 


T 


end 




'2 minute 

event window 

l 


Manager receipt time 
(real-time clock) 


Badge 

swipe 


Login 


As a comparison, deploy the same rule in a real-time rules folder and send the test events again. Note 
that the same rule is not triggered by the real-time rules engine because it is not designed to correlate 
historical data. 

In every scheduled run of a rule, only events arriving between that run and the earlier run are considered 
for input. 
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The field sets panel provides access to resources that are used to group and extend the fields of the 
event and resource schema. The Field Sets tree presents tools for the following tasks: 



Who 

What 

Why 

Where 

How 

Creating 

Field 

Sets 

soc 

operators, 
authors, and 
analysts 
concerned 

with 

traditional 
security- 
related use 

cases. 

A named subset of 

available data fields 

in the standard 

schema and the 

user-defined 
dynamic schema. 

To narrow the fields 
available in the standard 
400+ field event 

schema and the user- 
defined dynamic 
schema to make it 

easier to select and 

view fields. 

Active 

channels, 

CCE 

See 

"Creating 
and Using 
Field 

Sets" 

below. 

Creating 

Global 

Variables 

SOC 

operators, 
authors, and 
analysts 
concerned 
with any type 
of use case. 

A way to derive a 
unique value from 
existing values in a 
data field, and the 
derived value itself, 
stored in a global 
variable field. 

To make correlation, 
monitoring, and 
investigation more 
precise. 

Active 

channels, 

CCE, 

regular 

field sets, 

other 

global 

variables 

See 

"Global 

Variables" 

on 

page 555. 


Creating and Using Field Sets 546 

Resources That Use Field Sets 553 

About Global Variables 553 


Creating and Using Field Sets 

Field sets are named subsets of available data fields. Field sets can help you quickly focus a grid view, 
Event Inspector, or other field array on a particular context, such as customer accounts or vulnerability. 

Field sets are a shareable resource that you can manage and apply through the Field Sets resource tree 
in the Field Sets section of the Navigator panel. (In the Navigator, choose Field Sets, and click the 
Field Sets tab.) Field sets also support local and global variable data fields. 

In addition to field sets based on the Security Event schema, you can create field sets based on certain 
resources. ArcSight supports the following types of field sets: 
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• Actor field set. An actor field set contains fields that make up the Actors resource. Actor fields are 
attributes to identify users and track their activity. ArcSight provides a base set of Actors fields from 
which you can make user-defined subsets. 

• Asset field set. An asset field set contains fields that make up the Assets resource. Asset fields 
are attributes used to identify monitored assets. ArcSight provides a base set of Asset fields from 
which you can make user-defined subsets. 

• Case field set. A case field set contains fields that make up the Cases resource. Case fields are 
attributes used to track events that have been added to cases. ArcSight provides a base set of 
Case fields from which you can make user-defined subsets. 

• Event field set. An event field set is a named subset of available data fields from the ArcSight 
security event schema. 

A base or root field set is provided for each schema type (Event, Actor, Asset, and so on) from which 
you can create user-defined subsets. A derived field set may inherit all or a subset of its parent's base 
fields, and additionally may include local or global variables not present in the parent. All field sets will 
have a parent (field sets created in previous versions of ArcSight will by default use the Event base 
field set as its parent). 

Note: The ArcSight Command Center includes a search feature, fieldset, that is different from the 

field set resource on the ArcSight Console. 


Creating a Field Set 

To create a field set: 

1 . On the Console’s Navigator panel, select Field Sets from the Resources drop-down menu. 

2 . Choose File>Newon the Console's menu, or the New Resource button ( ), and the Field Set ( 

B) command. You can also right-click a folder in the Field Sets resource tree and choose New 

Field Set. 

3 . In the Field Set Editor in the Inspect/Edit panel, enter attributes for the field set and assign it one or 
more existing fields. 

4. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

5 . Click Apply to save the field set in the resource tree and continue editing. Click OK to save the 
set in the resource tree and close the editor. 

For details about what to enter in each field of the Field Set Editor, see "Field Set Editor: Attributes 
Tab" on the next page. 
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Field Set Editor: Attributes Tab 


The attributes tab is where you name the field set and specify what type of field set it is. 


Field Description 

Name 

Enter a name for the field set that identifies what it represents. 

Type 

From the drop-down menu, select what type of field set it is: 

• Actor Field Set. Select this if the field set will contain only actor fields for use cases 
relating to tracking actors. 

• Asset Field Set. Select this if the field set will contain only asset fields for use cases 
relating to tracking assets. 

• Case Field Set. Select this if the field set will contain only case fields for use cases 
relating to tracking cases. 

• Event Field Set. Select this if the field set will contain fields from the ArcSight security 
event schema for event-based use cases. 


For a description of what to enter in the Common fields, see Common Resource Attribute Fields" on 

page 685. 

Field Set Editor: Fields Tab 

The Fields tab is where you add the data fields to the field set. 

The Field Set editor’s Fields tab provides several sources from which you can select different types of 

fields: 

• Fields & Global Variables tab. Use this tab to add existing user-defined fields and global 
variables. 

• Field Sets tab. Use this tab to add standard event and resource schema fields. This field selector 
is similar to those available in the CCE and active channel editors. 

• Local Variables tab. Use this tab to add one or more local variables defined on this field set’s top 
level Local Variables tab. The added fields on this tab are available only to this particular field set. 

You can re-order and delete fields, and create aliases for event-based fields. For instructions, see 

"Editing a Field Set" on page 552. 

Tip: Looking for information about custom columns? 


HP ESM (6.9.1c) 


Page 548 of 1 1 06 


ArcSight Console User's Guide 
Chapter 19: Field Sets 


If you want to add a custom column, you need to create or define it first. For information about 
creating custom columns, see "Customizing Columns" on page 236. For information about 
working with grid views, see "Using Active Channels" on page 228. 

After you create a custom column, you can add it to your field set using the Add Custom 
Columns button at the bottom of the Fields tab editor. For details, see "Creating a Field Set" on 
page 547. 


Field Set Editor: Local Variables Tab 

Use this top-level local variables tab to define one or more local variables that you can then add to this 
field set in the Local Variables tab of the Fields tab. You can create multiple chained variables and add 
one or more of them to the field set itself. 

1. In the Local Variables tab, click add ( y Add ) to launch the Add Local Variable editor. 

2. In the Name field, give the local variable a name. In the Function drop-down, select a function 
category, then select a function and click OK. 

3. In the Arguments section, enter appropriate arguments for the function you selected in the 
previous step. 

4. in the Preview section, select or enter parameters and click Calculate to test the results of the 
function. 

5. When you are finished editing the field set, click OK to close the editor. 

For complete instructions about constructing a variable, see 'Variables" on page 1069. 

Tip: About derived fields 

Fields shown in italics are derived from data in other fields. Derived fields appear in various places 
on the Console Ul, including on the Field Set editor and the Common Conditions Editor (CCE) 
aggregation tabs (for example, Rules, Filters, and so forth). See also "Using Field Sets" on 
page 876 in the "Common Conditions Editor (CCE)" on page 864 reference topic. 

You cannot add derived fields to the field set. If you want to add a derived field to a field set, add 
the parent field instead. 


Using the Fields & Global Variables Subtab 

The Fields & Global Variables tab enables you to select fields from a resource tree like the one 
presented in the Fields & Global Variables Navigator panel. Use this tab to add user-defined fields and 
global variables to your regular field set. 
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Note: The Fields & Global Variables subtab also presents regular event fields. The field selector 
provides a tree-level view of the standard event and resource schema fields. You can use this view 
to add event fields, or add them from the Field Sets tab described in "Using the Field Sets Subtab" 
below. 


In the Fields and Global Variables tab, select any existing fields or global variables you want to add to 
the field set. The selected field will appear in the Selected Fields panel. 

For more about global variables, see Global Variables" on page 555. 

Using the Field Sets Subtab 

The Field Sets subtab enables you to select regular event fields that are part of a field set using a 
functionally organized field selector similar to that in the CCE and active channel editor. You can also 
use field sets in the Field Sets tab to narrow the list of fields down to those you are interested in. 
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Inspect/Edit [ a 
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You can navigate the entire event and resource schema for the fields you are interested in, or select a 
field set from which you want to select fields in the Choose fields from drop-down menu. 

Using the Local Variables Subtab 

If you want to add a local variable to this field set, but the local variables tab in the Field tab contains no 
items to select, first define the local variable in "Field Set Editor: Local Variables Tab" on page 549. 

1. In the Available Fields for <typeof> Field Set section at the Local Variables tab, select a local 
variable that you define in "Field Set Editor: Local Variables Tab" on page 549. 

2. Select the check box for the local variable you want to add to the field set. 

■ To re-order the local variables in the list, select a field and use the upS/downQ arrows to place 
it in the desired order. The variables will be evaluated in the order shown here. 

■ To remove the local variable from the list, select the field and click the delete button (H). 
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Adding Custom Columns 

The bottom of the Fields tab provides a button that enables you to add an existing custom column to the 
field set. For more about custom columns and how to create them, see Customizing Columns" on 
page 236. 

To add a custom column: 

1. Click Add Custom Columns. 

2. In the Add Custom Columns dialog, select an existing custom column and click OK. 


Editing a Field Set 

Where: Navigator > Resources tab > Field Sets > Field Sets tab 


1 . Right-click a field set and select Edit Field Set. 

2. In the Field Set Editor, use the Attributes tab to change the field set's name. 

3. Click the Fields tab and use its Available Fields list to select fields to add to the list. 


■ To re-order fields: To re-order the fields in the list, select one or more fields and use the upE2or 
downEZI arrows to place fields in the desired order. Fields and variables will be displayed and 
evaluated in the order specified in this list. 


To create an alias for event-based fields: To create an alias for a field, select the field, then 
click the alias button (l_I). In the Create Alias dialog box, enter an alternate name for the field. 


This alias will be used to identify this field in this field set anywhere this field set is used to 
select or display fields, such as an active channel column heading or a CCE field selector. 


Note: You can create an alias for event-based fields only. 

You cannot create an alias for resource-based fields, such as assets or cases. You also 
cannot create an alias for a field set or a global variable. 


■ To delete a field from the field set: To remove the field from the list, select the field and click 
the delete button (H). 

4. Use the Local Variables tab to define variables you can add to the field set usin.g the Local 
Variables tab in the Fields tab. See "Creating a Field Set" on page 547. 

5. Rearrange or remove fields in the Fields to Show list. 

6. Click Apply to save the set in the resource tree and continue editing. Click OK to save the set in 
the resource tree and close the editor. 
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Sharing a Field Set 

When you create a field set in the Shared folder in the Field Sets resource tree, it is available to other 
users who have permission for those folders. If you create one in your own folder, it is not available to 
other users unless you move, copy, or link it into a Shared folder. 

1. Click the field set in yourfolderand drag it to the appropriate Shared folder. 

2. In the Drag and Drop dialog box, choose to Move, Copy, or Link the resource in its new location. 

■ Moving relocates the resource, leaving a single instance of it in the tree. 

■ Copying makes a duplicate, leaving two independent instances of the resource. 

■ Linking leaves the original in place, and creates a connected copy in the new location that will 
change whenever the master instance changes. 

You create sortable field sets in the same way, but without the option to add variables to the sets. 

You control access to field set folders like any other resource. 

See also "Applying a Field Set to an Active Channel" on page 216 and Sorting Events in a Channel. 


Deleting a Field Set 

1. In the Navigator panel at the Field Sets tab, right-click the field set you want to delete and select 

Delete Field Set. 

2. In the confirmation dialog box, click Delete to delete the field set. 


Resources That Use Field Sets 

Use field sets in the following resources: 

• To sort active channels. For more about how to use field sets in active channels, see ' Applying a 
Field Set to an Active Channel" on page 216. 

• To narrow the list of fields available for selecting in the CCE. For more about how to use field 

sets when authoring resources in the CCE, see "Common Conditions Editor (CCE)" on page 864. 

• To define fields for a query. For more about creating queries, see Building Queries" on page 301 . 


About Global Variables 

Global variables are created from the Fields & Global Variables tab in the Field Sets Navigator panel. 
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For more information about global variables, see "Global Variables" on page 555. 
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ArcSight provides the ability to create variables that derive values from existing data fields that you can 
create locally in the resource you’re working on to make monitoring and correlation more specific to 
particular scenarios. 

In addition to these local variables, there is a global variable resource that makes it possible to define a 
variable once, then re-use it in multiple places wherever conditions can be expressed (active channels, 
rules, filters, data monitors, and queries), and wherever fields can be selected (CCE, field sets). 

Global variables are centralized and reusable, which makes them an essential building block for user 
correlation in the Actors feature and other advanced correlation scenarios. 

Once created, global variables can be selected in the "Common Conditions Editor (CCE)" on page 864 
as additional fields on the Filters or Conditions tabs, as Group By arguments for data monitors and 
queries, and in rule conditions and actions. You can add variables to field sets in the Field Set Editor to 
extend the event and resource schema with values derived from other data fields. 

The global variables feature also makes it possible to easily promote local variables defined for a 
particular resource into a global variable, where it can be re-used in other condition statements. 


Remote Variables Processing 

Variables using Group, List, and Category Model functions are evaluated on the Manager, not directly 
on the Console, and are referred to as “remote” variables. 

These remote variables are evaluated only once on the Console for any given event or resource. 
Therefore, the value of the variable on the Console does not change even if the underlying data is 
modified that would result in a different value for the variable. New events (in events channels) and 
resources (in resource channels) evaluate the variable again, and you see the updated value. 

Because not all variables can be calculated on the Console, there may be a delay in returning values 
from variables calculated “remotely” on the Manager. 


Global Variable Dependencies 

Global variables depend on a pre-defined schema, so in-memory data gathered during run time in active 
channels, active lists, session lists, query viewers, queries, and trends cannot be used to define a 
global variable. 

In-memory global variables can be displayed as columns in active channels, but not used as part of a 
condition or filter (for example, to derive a list or query result). 

This chapter describes how to use Console tools to create global variables, and how to leverage them 
in other resources. For details about the supported variable types and functions, see "Variables" on 
page 1069. 
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Navigating to Global Variables 

The Console Navigator contains a resource tab called Field Sets with a tab called Fields & Global 
Variables. This tab displays: 

• Global variable resources defined by users and in standard content 

• Standard event schema fields 
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Navigator 





Resources 

Packages Use Cases 


§ Field Sets 

Ctrl+Alt+X -r 

Field Sets 
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i 0-E| Actor Variables 
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0 CJ Event Fields 
0 O Downloads 


To view fields in the standard schema, including device custom fields, on the Fields & Global Variables 
tab, browse to All Fields/ArcSight System/Event Fields. 


Creating or Editing a Global Variable 

Caution: Do not exceed more than 10,000 resources in a group. 

Here are the high-level steps for creating or editing a global variable: 

1. In the Navigator panel, goto Field Sets and click the Fields & Global Variables tab. 

2. In the Fields tree, right-click the group for the global variable you are adding or editing, such as 
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<user’s> Fields, and select New Global Variable. 

If you are editing a variable, right-click and select Edit Field. 

3 . In the Global Variable Editor in the Inspect/Edit panel, define the new or edit the existing global 
variable. 

Caution: If you are editing a global variable, be careful about changing its name or type if the 
global variable is linked toother resources. Changes to its name or type could impact other 
resources that link to the variable. You can change its function parameters. 

a. In the Attributes tab, name the global variable, specify its type, and specify the group in which 
to place it to help others find it in pick lists. For details, see Global Variable Editor: Attributes 
Tab" below. 

b. In the Parameters tab, define the parameters the variable use and the functions it performs. For 
details, see "Global Variable Editor: Parameters Tab" on the next page. 

c. In the Local Variables tab, you can optionally add a local variable, which extracts data from a 
field that can be used for the overall global variable. For details, see Global Variable Editor: 
Local Variables Tab" on page 559. 

4. Optional: To add information in the Notes tab, refer to "Using Notes" on page 57. 

5 . Click Apply to apply the changes and keep the editor open; click OK to save changes and close 
the editor. 


Global Variable Editor: Attributes Tab 


Field Description 

Name 

Enter the variable name (which must be unique in the containing group). Global variable 
names cannot be SQL keywords. 

NOTE: The value you enter here cannot be changed once the global variable is saved. If you 
want to change the name of the global variable after it is saved, make note of the variable 
attributes and re-create the variable with the desired name. 
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Field Description 

Type 

From the drop-down selector, select the type of global variable you want to create: The type 
you choose here determines the type of fields available to this variable, and which resources 
can use the data derived from it. 

• Event Global Variable. Select this default option if you want the global variable to 
operate on event fields. 

• Asset Global Variable. Select this option if you want the global variable to operate on 
fields associated with assets in the network model. 

• Case Global Variable. Select this option if you want the global variable to operate on 
fields associated with cases. 

• Actor Global Variable. Select this option if you want the global variable to operate on 
fields associated with actors. 

Group 

From the drop-down menu, select the group in which to place your global variable. This is the 
group where you find the global variable in field pick lists in the CCE and Field Sets editor. 

The Variables group is selected by default, which means if you want to select this global 
variable in the pick lists, you scroll down to the Variables group. If you want to position this 
variable to the top group of the pick list, you select root. 


For a description of what to enter in the Common fields, see " Common Resource Attribute Fields" on 
page 685. 


Global Variable Editor: Parameters Tab 

Use the Parameters tab to choose the category, function, and arguments necessary to supply the 
values. 

1 . On the Parameters tab’s Function field, select the function that the variable uses to evaluate. First 
select a category, such as Arithmetic, then choose a function from that category, for example, 

Add. 

2. In the Arguments fields, specify the arguments (number and type parameters depending on the 
function), each of which may be a constant value, a field from the parent field set, or another global 
variable (see "Chaining a Global Variable " on page 567). For example, for the Add function which 
adds two numbers, your arguments will consist of the values from two specified fields to be 
added. 

3. For relevant functions, you can verify that the arguments you entered in the Function and 
Arguments fields return the values you want by entering sample parameters in the Preview fields. 

For details about how to fill out the Function and Arguments fields, see "Variable Definition Fields" on 
page 1071. 
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Global Variable Editor: Local Variables Tab 

Use the Local Variables tab to extract a value from a field that you want to use in the overall Global 
Variable. 

1 . Click Add. This launches the Add Local Variable editor. 

2. In the Add Local Variable editor, enter a name for the local variable, specify a function, and add 
arguments (number and type parameters depending on the function). 

3. Verify that the arguments you entered in the Function and Arguments fields return the values you 
want by entering sample parameters in the Preview fields. 

For details about what to enter in the Function and Arguments fields, see Variable Definition Fields" on 
page 1071. 


Managing Global Variables 

To move or link a global variable: 

You can move a global variable in the Navigator the same way other resources can be moved or linked. 
For details, see "Moving, Copying, Linking, and Deleting Resources" on page 670. 

Note: You cannot copy global variables. 


To delete a global variable: 

1. In the Navigator panel, right-click the global variable and select Delete Field. 

2. At the confirmation dialog box, click Delete. 

If any resources depend on this variable, a warning is displayed containing the URI of the impacted 
resources. You can override the warning and force-delete the variable. In such cases, the dependent 
resources are marked invalid; you can then edit those resources and remove any orphaned references. 


Promoting a Local Variable to a Global Variable 

If you have an existing resource (such as a field set or rule) that contains one or more local variables 
that you want to re-use in other resources, it is easy to convert that variable to a global variable. 

This feature is available in the following resource editors: active channels, data monitors, field sets, 
filters, rules, and queries. 
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Note: Limitation in promoting local variables for resources 

. Local variables defined for data from events, actors, cases, and assets can be promoted to 
global variables. 

. Local variables defined for query viewers cannot be promoted to global variables. Query 
viewers operate on queries, which have their own distinct schema for each instance. A local 
variable defined for a query viewer is likely only applicable to that specific query viewer. 


To promote a local variable: 

1 . At the Local Variables tab in the resource editor, select the local variable you want to promote. 
This activates the Make Global button in the local variable toolbar. 



2. Click the Make Global button. 

3. On the Fields Selector, choose the group to which you want to save the global variable. 

4. Decide whether to use the global variable you just promoted in the resource. At the prompt: 

■ Click Yes to promote the local variable to a global variable. This removes the variable from the 
local variables list and makes it available to the resource as a global variable. 

■ Click No to keep the variable local in the host resource. 

If you opted to replace the local variable with the global version, you can see it by viewing the 
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condition or selected fields tab, depending on what type of resource you are working in. 



5. To find the new global variable you just promoted from the global variables tree, goto Field Sets > 
Fields & Global Variables. Navigate to the group in which you saved the global variable. 
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Resources 

Packages Use Cases 

@ Field Sets Ctrl+Alt+X 

V 

Field Sets 

Fields & Global Variables 


All Fields 

V 


admin's Fields 


Q B Fields 

SOL 

j_! Add numerals 
j @ Concatenate 
@GV1 

; 3 LengthOfMessage 
!_| Parse IP address 
: 13 Velocity 
S E) Shared 
& D All Fields 

it E ArcSight Administration 
+ 0 ArcSight Foundation 




The new global variable appears in the Variables hierarchy and be available to other resources. 

A global variable may also chain (use as parameters) other variables that are local to a resource. A 
common use case is to create a complex chain of variables, and expose only the variable representing 
the final result as a global variable, keeping the chained intermediate variables local to their host 
resource. 


Adding a Global Variable to a Resource 

You can add a global variable to any resource such as active channels, data monitors, and field sets in 
which you can express a condition that uses the "Common Conditions Editor (CCE)" on page 864. The 
editorforsuch resources would include a subtab for adding fields and global variables. 

Global variables are made available to query viewers through the queries. 


Accessing a Global Variable Using the CCE 

Resources that use the Common Conditions Editor (CCE) provide a button that enables you to access 
and add a global variable to a condition statement. 
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To add a global variable using the CCE: 

1. In the CCE for a given resource, click the +/- Global Variable button. 

2. On the Global Variable Selector dialog, select one or more variables you want to add and click OK. 

Only variables whose schema type matches the given resource are displayed. For example, an 
actor-based global variable can be added to an actor-based query, not an event-based or other 
resource-based queries. 

3. The added variables appear in the field list under the group selected for it in the Global Variables 
editor (such as the Variables group). You can use these variables in condition statements for this 
resource. 

For details, see "Adding or Removing Global Variables Using the CCE" on page 877 in the reference 
topic on the "Common Conditions Editor (CCE)" on page 864. 

If the resource you are working in uses a field set that contains global variables, any global variable 
fields included in the selected field set are also available for selection in the CCE. 


Adding Global Variables to an Active Channel 

When you initially create an active channel, you can only apply fields that are defined as a field set, 
either an existing one, or a specific field set for use only by the active channel you are defining. 

Global variables can only be added to an active channel from an existing field set that contains the 
global variables. If an existing field set contains one or more global variables, those global variable 
fields become part of your active channel. 
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However, if you are defining the fields only for the exclusive use of the channel you are creating, the 
Define Grid Fields selector on the Active Channel dialog does not present global variable fields. 

To viewing global variables in the Event Inspector: 

When you view events in an active channel and open an event that contains a global variable field in the 
Event Inspector, you may need to refresh the Event Inspector view to see the global variable fields, 
because the Manager processes global variable data differently from regular event data. 

• If the Hide Empty Rows icon is on (so empty rows are not displayed), you may not see the 
global variable fields in the event inspector. 

• To refresh the view, de-select, then re-select the Hide Empty Rows icon. 


Adding a Global Variable to a Data Monitor 

You can add a global variable to any fields-based data monitor on the attributes tab where fields are 
selected. Field-based data monitors include: 

• Event graph 

• Hierarchy Map 

• Last N Events 

• Last State 

• Moving Average 

• Statistics 
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• Top Value Counts (bucketized) 


Inspect/Edit 

_i □ 0 ? 

Event Inspector 0 Data Monitor last 10 Database . . . 

Attributes Local Variables Notes 

Data Monitor Type 

- 

Data Monitor 




* Name 

Last 10 Database Configuration Changes 



Enable Data Monitor 

hd 



Restrict by Filter 

Database Configuration Changes 



Availability Interval 

30 



Select FieldSet 

Select a Field Set 



# of Events 

10 



r 

Q N ame 

Jjj Attacker User Name 



Field Names 

[g Device Zone Name 
[g Device Address 




J More Information J 


a 





Resource ID 

Cb)yoaCcBA8CGRrwEPaXXPw== 



External ID 


Alias (Display Name) 


Description 

This data monitor shows the last 10 sue#'**'* 


v..jr —jo*. jT ~ 




To add a global variable to a data monitor: 

1 . Go to Dashboards > Data Monitors. Either create a new data monitor (right-click a group and 
choose New Data Monitor) or edit an existing data monitor (right-click a data monitor and choose 

Edit Data Monitor). 

2. In the Data Monitor editor where you can select fields, click the value field to launch the field 
selector. The available fields vary depending on the type of data monitor you selected. 

3. In the field selector, click the Fields & Global Variables tab and select an available global 
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variable. Click OK. 


♦ <y X 

Selected Fields 

3 

| | Add numerals 


Available Fields 


Fields & Global Variables | FieldSets 1 Local Variables 


All Fields 


V 

1 Fields 

A 

i 

admin's Fields 



KJ | 




r^r 

Concatenate 



ria 

GV1 



r@ 

LengthOfMessage 



ru 

Parse IP address 


OK | | Cancel 


For details about how to use the data monitor editor, see Using Custom View Dashboards" on 
page 264. 


Adding a Global Variable to a Field Set 

You can also add a global variable to a field set. Once you add a global variable to a field set, whenever 
you apply that field set in a resource, you can select the global variable directly without having to add it 
first. 

There are five different types of field sets: 

• Actor field set. An actor field set contains only actor-related fields. Only a global variable created 
using actor fields can be added to an actor field set. 

• Asset field set. An asset field set contains only asset-related fields. Only a global variable created 
using asset fields can be added to an asset field set. 

• Case field set. A case field set contains only case-related fields. Only a global variable created 
using case fields can be added to a case field set. 

• Event field set. An event field set is a named subset of available data fields from the security event 
schema. 


Note: There are also domain field sets, but you cannot create a global variable using domain 
fields and you cannot add a global variable to a domain field set. 
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To add a global variable to a field set: 

1 . Go to Field Sets resource, which opens by default to the Field Sets tab. Either create a new field 
set (right-click a group and choose New Field Set) or edit an existing field set (right-click a field 
set and choose Edit Field Set). 

2. In the Field Set editor Fields tab where you can select fields, click the Fields & Global Variables 
tab and select an available global variable. Click OK. 



For details about creating a field set, see "Creating a Field Set" on page 547. 


Chaining a Global Variable 

You can “chain” variables, that is, use one variable as a function parameter for another variable. The 
parent (outer) variable doing the chaining can be either a local or global variable. 

A variable (local or global) may be chained inside another variable only if the child (inner) variable’s 
return type is compatible with the outer variable's parameter type. For example, an ADD function 
variable can be chained inside a variable that takes a numeric parameter. 

Tip: Before making one variable a function parameter of another variable, create the inner variable 
first, and make sure that its data type is compatible with the function you want the outer variable to 
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perform. 

These steps show an example of chaining two global variables using the Global Variable Editors’ 
Parameters tab. You can also chain a global variable in the parameters of a local variable defined in the 
Local Variable tab of the Global Variable editor. 

1. In the Global Variable Editor’s Parameters tab, select a function that matches the data type of the 
global variable function you want to chain. For example, if you want to perform an arithmetic 
function, the child (inner) variable should be a number. 



2. In the Arguments section, select the inner global variable from the Global tab. 

3. Verify that the arguments you entered in the Function and Arguments fields return the values you 
want by entering sample parameters in the Preview fields. 

In the case of global variables that perform lookups from Active or Session Lists, the nested sub-fields 
(representing the list columns) are also available for selection, provided the sub-fields are the required 
data type. 
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Identity correlation provides the ability to model users and associate them with events. Identity 
correlation can be accomplished using session lists for some scenarios ( session correlation) and 
active lists for others (user or device correlation). 

You can capture and record session-related data in a user-defined session list where it can be used for 
a number of purposes in identifying and tracking users in relation to MAC addresses, IP addresses, 
machines, network logons, and so forth. 

Also, you can use a pre-populated active list to find a value and then use the value (as a variable) in a 
rule. You can use this strategy to identify entities or objects in a variety of scenarios such as correlating 
various user IDs (logins, e-mail addresses, badge IDs) to unique IDs; mapping unique user IDs to user 
roles; and even finding the status of a machine by its host name. 

The following topics describe scenarios for using both resources, and include step-by-step examples of 
using sessions lists and active lists with rules and variables for identity correlation. 


Understanding Session Correlation 569 

Managing Session Lists 570 

Example: Using Session Lists to Correlate Session Data on User Logins 574 

Example: Using Active Lists to Correlate Users 585 


Understanding Session Correlation 

You can leverage ArcSight-provided resources (pre-defined "Session Lists" on page 1043 and "Rules" 
on page 1029) or develop customized session lists to use for identity correlation, as described here. 

How session correlation works: 

Session correlation captures and records session-related data in a user-defined list, where it can be 
used by ArcSight's Correlation Engine to: 

• Resolve event endpoints against DHCP sessions to identify which device was located at the 
reported IP address at the time of the event. 

• Use existing maps that link MAC addresses and/or host names to users, if available. 

• Attribute actions originating from a specific device to its owner. 

• Extract and resolve user information from VPN logins, including the VPN user name and session 
characteristics. 

• T rack who accesses a given network node at a given time to trace events that originate from this 
device to users that were logged in at the time. 
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Session correlation is a three-step process that involves three or more ArcSight resources. 



2. Create rule to 
populate session list 


■ 

rri Active 
' Channels 

li Filters 

(£| Dashboards 

Reports 

o| Data 

1 — 1 Monitors 

Ji Rules 

3. Use session list output 

anywhere variables can 

be used 



You define a session list, then creates a rule to populate it. The results written to the session list can be 
used anywhere variables are used, such as to trigger other rules, or to populate active channels, 
dashboards, and reports. 

The high-level steps are: 


1 . Create a session list (as described in "Creating a Session List" on page 486). 

2. Create a rule to populate the session list (as described in "Creating a Session List Rule" on the 
next page). 

3. Use the session list output wherever needed (as described in "Using the Session List Output" on 
page 572). 


See also "Example: Using Session Lists to Correlate Session Data on User Logins" on page 574 fora 
walkthrough of creating and populating a session list with Windows session information. 


Managing Session Lists 

While you can manually update session lists, their real value comes when you author automatic, rule- 
driven lists with dynamic content. 

See also "Understanding Session Correlation" on the previous page and "Example: Using Session 
Lists to Correlate Session Data on User Logins" on page 574. 

For specific instructions on working with session lists, refer to 'Managing Session Lists" on page 485. 
• "Creating a Session List" on page 486 


Note: Session lists are usually defined in conjunction with rules specifically tailored to interact 
with those lists dynamically. Lists not driven by rules are empty or contain only manually added 
entries that have not timed out 


• "Editing Session Lists and List Entries" on page 489 
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Creating a Session List Rule 

Make sure you have created a session list for this procedure. To create a rule that writes new sessions 
into your session list or that re-sends session start times to your session list: 

1. In the Navigator panel's drop-down menu, choose Rules. 

2. In the Rules resource tree, right-click a group and select New Rule > Standard Rule. The Rules 
Editor displays in the Inspect/Edit panel. 

3. At the General tab, enter the following values: 


Rule Settings for Session Lists 

In this 

field... 

...enter this 

Name 

Enter a name in the Rule Name text field. The Rule Name should be as 
descriptive as possible. It is stored in the Event Name data field and appears in 
the Event Name column of the grid view. The Rule Name text field is required and 
restricted to 25 characters. 

Rule Type 

Keep the selection, Standard Rule. Using a standard rule allows multiple event 
conditions, aggregations, and triggers. However, if you want to keep the rule 
simple, consider a Lightweight Rule, which is limited to acting on lists. See 

"Rule Types" on page 494 for more details. 

Common: 

External 

ID, Alias 

If this rule is referenced by an external system, such as Remedy or vulnerability 
scanner, enter the pertinent external ID information here. If not, leave these fields 
blank. 

Description 

Enter a description in the Description text field. The description should be 
meaningful and detailed. For example, This rule creates an entry to the DHCP 
session list when a new DHCP session starts. 

Assign: 

Owner, 

Notification 

Groups 

If you wish to specify an owner for this resource and to automatically notify other 
users when this rule is changed, select existing users and notification groups from 
the drop-down menu. This step is optional. 


4. On the Conditions tab, enter the conditions that indicate a session start and click Apply. 

5. On the Aggregation tab, specify the event fields from the session list that you want to have 
displayed in the event grid when the rule is triggered by the session conditions specified in the 
Conditions tab. You should probably aggregate all items you specified in your session list so that 
those values are populated when the event occurs. 

6. On the Actions tab, set the trigger and the action you wish the rule to take when the conditions are 
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met: 

a. Select the trigger you want to apply to this rule and make sure it is activated. 

On First Event is the default trigger. This determines which occurrence of the “session start” 
conditions will trigger the action to write the event to the session list as the start of a session. 
See Threshold Triggering Options" on page 518 for details on the available triggers. 

Tip: You can use references to Velocity Templates as parameters for rule actions to 
derive values from event fields and variables. (See "Velocity Templates" on page 1093.) 

b. While the trigger is selected, click Add to add an action. Select Session List | Add to 
Session List. 

c. In the Add Action dialog box at the Session List drop-down menu, navigate to the session list 
you created earlier. The parameters you set for the session list are displayed in the Session 
Field Mapping area. 

d. In the Session Field Mapping area at the Start Time field, select which event time stamp you 
want to use to record as the official start time. 


Start Time 

Description 

End Time 

The time the event ended. 

Manager Receipt Time 

The time the event arrived at the Manager. 


e. For the remaining fields you specified in your session list that have multiple choices, select 
which value you wish to use for your session list and click OK. You can find a description of the 
data fields, see 'Data Fields" on page 885. 

7. Optional: To add information in the Notes tab, refer to 'Using Notes" on page 57. 

8. Click OK. The relevant events matching this rule will populate the session list. 


Using the Session List Output 

Once the session list has been populated by events that trigger the session list rule, the session data 
can be accessed anywhere variables can be used: 

• Active channels 

• Data monitors 

• Dashboards 

• Filters 
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• Reports 

• Rules 


Creating a Variable 

From the editor of one of the resources (active channel, data monitors, dashboards, filters, reports, 
rules), you can create a variable that uses the GetSessionData function. This variable is derived from 
the session time-stamp data stored in the session list. 

To create a variable: 

1. In the Navigator panel's drop-down menu, choose the resource that you wish to consume the 
session list data. These steps use Filters as an example. Right-click a filter group and select New 

Filter. 

2. On the Attributes tab, enter a name for the filter, and optionally, external ID and alias information, 
and/or owner and notification group information. 

3. On the Variables tab, click Add, then choose either Local Variable or Global Variable (depending 
on whether you want this variable shared across all resources). In the "Add Variable" dialog, enter 
the following values and click OK: 


In this 

field... ...enter this 

Name 

Enter a name for the variable. The name you enter appears in the <Lists> menu 
available from the "Common Conditions Editor (CCE)" on page 864. Spaces and 
special characters are allowed. 

Function 

In the Function pull-down menu, select List Functions > GetSessionData. 

Arguments 

In the <field name> pull-down menu, select the session list you created 
previously. 

Preview 

To preview the results, select an asset from the list of assets reporting events to 
ArcSight and click Calculate. 


4. Perform any necessary Session Field Mapping. 

5. In the Filters tab conditions editor, scroll down to the bottom of the Fields list until you see 
Variables. Here you seethe name of the variable you created earlier in this procedure. In the 
Operator field, select an operator appropriate for the GetSessionData function for the variable you 
created. In the Condition field, enter an appropriate value. Session lists that allow overlapping 
sessions would take a list of values separated by commas. Session lists that do not allow session 
overlapping would take a single value. This instructs the filter to derive its values from your 
session list. 


HP ESM (6.9.1c) 


Page 573 of 1106 


ArcSight Console User's Guide 
Chapter 21: Identity Correlation 


6. When you have finished setting all the conditions, click Apply to save changes and keep the 
editor open; click OK to save the filter and exit the editor. 


Example: Using Session Lists to Correlate 
Session Data on User Logins 

Using session lists for identity correlation is a three-step process that involves three or more ArcSight 
resources. The high-level workflow for creating and using session lists for identity correlation is: 

1 . Create a session list. In the example, the list will store information about Windows logins and 
logoffs. 

2. Create a rule to populate it. The example will use two rules: 

■ A rule that is triggered at the start of a successful Windows login and populates the session list 
with the successful login event data 

■ A rule that is triggered when a user logs off and populates the session list with the session 
termination event data 

The rules will be verified using the Verify Rules with Events tool to make sure that the rules are 
triggered and that your session list is populated appropriately with session logins and start/end 
times. 

3. Use the session list output. The output in this example is a new report using the session list you 
just created as the data source. In general, the results written to the session list can be used 
anywhere variables are used, such as to trigger other rules, or to populate active channels, 
dashboards, and reports. 


Note: .You need a set of Windows session events (user logins/logoffs) to properly verify the 
resources you create for this example. 


Step 1 - Create a Session List to Store Windows 
Sessions 

Start by creating a session list that will contain Windows login sessions. 

Choose the Lists resource in the Navigator, and click the Session List tab. Right-click a user folder 
and choose New Session List. (For more detailed help on creating session lists, see "Creating a 
Session List" on page 486.) 

In the Session List editor, name the session list, and add the fields as shown. 
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Session List 

Attributes Value 

Name 

Windows Login Sessions 

Overlapping 

Entries 

Disabled (leave unchecked) 

This example assumes that the Windows server we are monitoring does not 
support multiple-user logins, which is why we leave Overlapping Entries 
unchecked. 

In 

MemoryCapacity 

(xIOOO) 

10 (keep the default) 


Tip: 

Entering data in the Common and Assign sections is optional, depending on how your environment 
is configured. For information about the Common and Assign attributes sections, as well as the 
read-only attribute fields in Parent Groups and Creation Information, see Common Resource 
Attribute Fields" on page 685. 


Add the following three fields with names and types as shown. Set "Username" as the key-field. 


Field Names for Session Lists Type Key Fields 

Username 

String 

Enabled 

NT Domain 

String 


Device 

String 
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Example Session List 



Session list name 

Disable overlapping 
entries if server does 
not support multi-user 
logins 


Fields: The session list 
will include these fields. 
Username, marked as 
the key field, must be 
unique to indicate a 
session start. 


Step 2 - Create Rules to Populate the Session List 
with Windows Logins 

Create two rules with which to populate the session list: 

• A rule that triggers on Windows session logins 

• A rule that triggers when a Windows session terminates 

To create a new rule, choose the Rules resource from the Navigator drop-down menu, right-click a user 
group, and select New Rule from the context menu. (If you need more help on creating rules, see 
"Managing Rules" on page 495. For a general introduction to working with rules, see "Rules Authoring" 
on page 493.) 

Note: For this example, first create rules in a user folder under Rules fortesting purposes. Once 
you have created and verified rules and are ready to deploy them on real-time events, move or 
copy the rules to your user folder under Real-time Rules. Only rules deployed in Real-time Rules 
filter on live events and show up in a live channel when they are triggered. See 'Deploying Real- 
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time Rules" on page 536 for more information. 


Rule 1 : Triggers on Windows Session Logins 

Create a rule to populate the session list. Use the following attributes, conditions, aggregation, and 
actions as shown below. 

Attributes 

On the Attributes tab, enter the name of the session login rule as follows. 

• Name: Successful Windows Login 


Inspect/Edit 


Event Inspector ® Rule: Successful Windows Login 


Attributes Conditions Aggregation Actions | Local Variables Notes 


0 Rule 

* Name 

# Rule Type 


Successful Windows Login 
Standard Rule 


0 Common 

Resource ID 


59K1POOABABCA GE2Ew2wPpQ== 


External ID 


Alias (Display Name) 
Description 
Version ID 
Deprecated 
0 Assign 
Owner 

Notification Groups 
0 Parent Groups 
Jing's Rules 

0 Creation Information 
Created By 
Creation Time 
Time Since Creation 
0 Last Update Information 
Last Updated By 
Last Update Time 
Time Since Last Update 


□ 


/AS Ru/es/Personal/adnvn s Rules /Jtng's Rules, 


adrntn 

1 Aug 2013 12: 16:52 PDT 
1 min(s) 28 sec(s) 

admin 

1 Aug 2013 12:18:20 PDT 


Conditions 

Click the Conditions tab for the login rule, and enter the following conditions. 

• Target User Name Is NOT NULL 

• Target Nt Domain Is NOT NULL 

• Device Host Name Is NOT NULL 

Setting these conditions causes the rule to be triggered on any event that includes a device host name 
and a user name where the target is a Windows NT domain. (For more information on using the 
Common Conditions Editor or “CCE”, see "Common Conditions Editor (CCE)" on page 864 and 
"Conditional Statements" on page 879.) 
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Aggregation 

Click the Aggregation tab for the login rule. Under Aggregate only if these fields are identical, click 
Add... to bring up the Add Fields dialog. Select the following fields on which to aggregate and click OK 
to add them to the rule. 

• Target User Name 

• Target Nt Domain 

• Device Host Name 

Aggregation can be used to combine multiple events (as specified in the number of matches) into a 
single entry for the session list. But in this case (where we are aggregating events with identical fields 
on only a single match), we are specifying fields in the Aggregation tab for the purpose of making those 
same fields available in the Actions tab. 
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Actions 

Click the Actions tab for the login rule. 



Right-click On Every Event and select Activate Trigger. Right-click again and select Add | Session 
List | Add to Session List. 

In the Session List drop-down menu on the Add dialog, select the Windows Login Sessions session list 
you created in the first step. 

Map the fields as follows. 

• Start Time: End Time 

• Username: Target User Name 
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• NT Domain: Target Nt Domain 

• Device: Device Host Name 

This prompts the rule to add a login event to the Windows Login Sessions list every time a matching 
login event occurs. 


£ Edit Action 


When: On Every Event 


Session List: Windows Login Sessions ▼ 

Session Field Mapping 

For each session field, select a populating event field. 

Note: Recommeded Start Time value is End Time. 

To view date time fields other than End Time and Manager Receipt Time 
in fields dropdown, they must be aggregated as identical. 


Name 

Reid 

Key 

* Start Time 

End Time 


* Username 

Target User Name 

Sf 

* NT Domain 

Target Nt Domain 


* Device 

Device Host Name 




| OK ] [ Cancel ] [ Help | 


Click OK on the Add to Session List dialog to add the actions to the rule. When the actions are properly 
configured, they are displayed under the On Every Event action as shown. Windows session logins 
are added to the session list on every event. 


Inspect/Edit d ? x 

Event Inspector 

m Rule: Successful Windows Login 


Attributes Conditions Aggregation 

Actions 

Local Variables : Notes 


0 Add f Edit X Remove Move Up ▼ 

Move Down Hide Empty Triggers 


Ad On First Event [ Active ] 

I A) On Subsequent Events 

Ad On Every Event [ Active ] 

E3 L7 Add to Session List 
| Field: End Time 

Field: Target User Name 
Field: Target Nt Domain 
Field: Device Host Name 

Resource: /All Session Lists/Personal/admin's Session Lists/Windows Login Sessions 

As) On First Threshold 
Ad O n Subsequent Thresholds 
Ad On Every Threshold 
Ad On Time Unit 

A) On Time Window Expiration - Cumulative Rule Chain Is Off 


Click OK to save the session login rule. 

Rule 2: Triggers on Termination of Windows Sessions 

Create a rule to populate the session list with Windows session termination information. Define this 
"terminate session list" rule with the same settings as the "add to session list" rule you just created, 
with the following differences specific to terminating the session: 
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• On the Attributes tab, Rule Name is Windows User Logoff (instead of Login). 

• On the Conditions tab, define the same Conditions as in the previous rule. 

• On the Aggregation tab, aggregate on the same fields as in the previous rule. 

• On the Actions tab, define the same actions as in the previous rule but add the actions to Terminate 
Session List instead of Add to Session List. (The menu path for adding the logoff rule is Add | 

Session List | Terminate Session List.) 

The Actions tab for the logoff rule is shown below. Notice that for Windows logoffs, the rule triggers the 
action to add an entry to the terminate session list on every logoff event. 


Inspect/Edit cf 

Event Inspector 

(2 Rule: Successful Windows Logoff 


Attributes Conditions Aggregation 

Actions 

Local Variables Notes 


Add f Edit X Remove -*■ Move Up ▼ 

Move Down tS H'de Empty Triggers 


A I On First Event [ Active ] 

Al On Subsequent Events 
Al On Every Event [ Active ] 

0-D Add to Session List 
Field: End Time 
Field: Target User Name 
Field: Target Nt Domain 
Field: Device Host Name 

Resource: /All Session Lists/Personal/admin’s Session Lists/Terminate Session Lists 

L*sl On First Threshold 
Al On Subsequent Thresholds 
Al On Every Threshold 
Al On Time Unit 

Al On Time Window Expiration - Cumulative Rule Chain Is Off 


Here is an example of the Attributes tab for the logoff rule when it is completely configured. 


Inspect/Edit 


Event Inspector (2 Rule: Successful Windows Logoff 


Attributes Conditions j Aggregation | Actions [ Local Variables Notes 


B Rule 

# Name 

* Rule Type 

0 Common 

Resource ID 

External ID 

Alias (Display Name) 

Description 

Version ID 

Deprecated 

0 Assign 

Successful Windows Logoff 

Standard Rule 

585PjOOABABCF6dmMqcpR5A == 

□ 

Owner 


Notification Groups 


0 Parent Groups 


Jing's Rules 

/AS Rules/Personal /admtn s Rufes/Jmg's Rules/ 

0 Creation Information 


Created By 

admtn 

Creation Time 

1 Aug 2013 14:58:25 PDT 

Time Since Creation 

7 rrm(s) 25 sec(s) 


0 Last Update Information 

Last Updated By admtn 

Last Update Time 1 Aug 2013 15:05:50 PDT 

Time Since Last Update 
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Step 3 -Verify Rules 


Navigator 

Resources 

Packages Use Cases 


|_£| Rules 


Ctrl- 


qo admin's Rules 

SOI 


Jing's Rules 


!••••(£) Successful Windows Login 
1 (2 Successful Windows Logoff 
S O Shared 
S O All Rules 

S D ArcSight Administration 
SO ArcSight Core Security 
SO ArcSight Foundation 
S CJ ArcSight System 
(j Cl Personal 

SO Public 
SO Real-time Rules 
+ D Unassigned 


For each rule, we want to answer some key questions to verify the rules are working as expected. 


Rule Verify Questions 

Add to Session 

List 

Is the rule triggered when a Windows login occurs? 

Are the values inserted into the Session List? 

Terminate 

Session List 

Is the rule triggered when a Windows logoff occurs? 

Is the End Time in the Session List changing according to the rule (that is, is it 
terminating the session for this user)? 


To test rules before deploying: 

To test the rules before deploying in real time, we can use an active channel created from the Verify 
Rules with Events option, and also view entries in the Windows Login session list we created in the 
first step of this example. 

1 . Select the Rules folder that contains them, right-click, and choose Verily Rule(s) with Events in 
the context menu. You can create a New Active Channel to test the rules. 

The following example shows the login rule triggered for several events. 
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♦127 Seo 2006 13:53:00 POT Windows User Loooff I T 


2. Choose the Lists resource in the Navigator, and click the Session Lists tab. Select your 
Windows Login Sessions list, right-click, and choose Show Entries from the context menu. 



For more information on testing rules, see "Verifying Rules with Events" on page 532. 
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Note: Once you have created and verified rules and are ready to deploy them on real-time 
events, move or copy the rules to your user folder under Real-time Rules. Only rules deployed 
in Real-time Rules filter on live events and show up in a live channel when they are triggered. 
For more information, see "Deploying Real-time Rules" on page 536. 


Step 4 - Use the Session List in a Report 

You can leverage session lists in a variety of resources including reports, active lists, active channels, 
data monitors, and as input to other rules. (For example, you could use a rule to correlate multiple failed 
VPN logins over a short timeframe with a particular user entry in the session list. You might specify that 
if both conditions are met, add the user to an active list such as /Active Lists/Shared/All Active 
Lists/ArcSight System/Threat Tracking/Suspicious List.) 

For this example, use the session list in a simple report. 

Create a new report on the session list for this example. The steps are: 

• Create a report 

• Choose a report template 

• Choose the session list as the data source for the report 

• Run the report 

To create a report showing the Windows logins: 

1. In the Navigator, choose the Reports resource and click the Templates tab. 

2. Expand the folder /Report Templates/Shared/All Report Templates/ ArcSight System/, 
right-click Simple Table Portrait and choose New Report from Template. 

3. Provide a name for the report (for example, Windows Login Sessions). 

4. Click the Data tab and select Session Lists for the Data Source type and the Windows Login 
Sessions list for the data source. 

5. Click Apply or OK to save the report. 

6. Still under the Reports resource in the Navigator, click the Reports tab. The report you created is 
displayed under your user folder. 

7. Select the new report, right-click and choose Run Report or Run Report with Defaults from the 
context menu. 

Following is an example of an HTML version of the Windows Login Sessions report. 
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Report 


Use numr 

NT 

Domain 

Device 

StaH Time 

End Tune 

C re a tie n Time 

shannon 


churchill 

Sep 27 2006 

1604 15 

Sep 27 2006 

1604 15 

Sep 27 2006 

16 23 06 

shannon 


churchill 

Sep 27 2006 

1604 15 

Sep 27 2006 

1604 15 

Sep 27 2006 

16 23 06 

shannon 


churchill 

Sep 27 2006 

1604 15 

Sep 27 2006 

1604 15 

Sep 27 2006 

16 2306 

shannon 


churchill 

Sep 27 2006 

1604 15 

Sep 27 2006 

1604 15 

Sep 27 2006 

16 23 06 

shannon 


churchill 

Sep 27 2006 

1604 15 

Sep 27 2006 

1604 15 

Sep 27 2006 

16 23 06 

shannon 


churchill 

Sep 27 2006 

1604 15 

Sep 27 2006 

1604 15 

Sep 27 2006 

16 23 06 

shannon 


churchill 

Sep 27 2006 

1604 15 

Sep 27 2006 

1604 15 

Sep 27 2006 

162306 

shannon 


churchill 

Sep 27 2006 

1604 15 

Sep 27 2006 

16 04 15 

Sep 27 2006 

16 23 06 

shannon 


churchill 

Sep 27 2006 

1604 15 


Sep 27 2006 

16 23 06 

Steve 


belmont 

Sep 27 2006 

14 1233 

Sep 27 2006 

14 12 33 

Sep 27 2006 

1518 55 

Steve 


belmont 

Sep 27 2006 

14:12:33 

Sep 27 2006 

14 12:33 

Sep 27 2006 

151855 

Steve 


belmont 

Sep 27 2006 

14 12 33 

Sep 27 2006 

14 12 33 

Sep 27 2006 

1518 55 

steve 


belmont 

Sep 27 2006 

14 12:33 

Sep 27 2006 

14:12 33 

Sep 27 2006 

1518 55 

Steve 


belmont 

Sep 27 2006 

14 1233 

Sep 27 2006 

141233 

Sep 27 2006 

1518 55 

steve 


belmont 

Sep 27 2006 

14 12:33 

Sep 27 2006 

14 12:33 

Sep 27 2006 

151855 

steve 


belmont 

Sep 27 2006 

14 1233 

Sep 27 2006 

14 1233 

Sep 27 2006 

1518 55 

steve 


belmont 

Sep 27 2006 

14:12:33 

Sep 27 2006 

14 1233 

Sep 27 2006 

151855 

steve 


belmont 

| 

Sep 27 2006 

14 1233 

Sep 27 2006 

14 12:33 

Sep 27 2006 

1518 55 

sieve 


belmont 

Sep 27 2006 

1 4 12:33 

Sep 27 2006 

1 4:12 33 

Sep 27 2006 

151855 


belmont 



belmont 



For more information on creating and using reports, see "Creating Reports" on page 379 and "Running 
and Managing Reports" on page 448. 


Example: Using Active Lists to Correlate Users 

You can use active lists to find a value and then use value (as a variable) in a rule. You can use this 
strategy to identify entities or objects in a variety of scenarios; for example: 

• Given that logins from the same attacker are showing up under multiple IP addresses, find out 
whether the attacks are coming from the same machine with different IP addresses. 

• Correlate user logins (e.g. , onto server machines) with physical building or room entry. A user’s 
login ID is not the same as badge ID. You use an active list to map various user identifiers (login, e- 
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mail, badge) to a unique user ID (UUID) for each user. 

• Map UUIDs to user roles. 

• Find the current status (for example, up or down) of a given machine host name. 

• Find the current status (for example, up or down) of a given SmartConnector. 

Tip: The last two items can also be handled by data monitors. 


This example shows how to build a rule that leverages unique user ID information from a pre-populated 
active list to correlate user logins on critical servers with badge swipe entries to the server room. The 
rule is triggered when a server user login does not have a matching badge swipe ID. 

The example highlights how an active list with values can be leveraged for identity correlation. In this 
case, the active list collects target user IDs for the same user from different sources (e.g., user login, 
badge ID, e-mail address, phone number) and maps those different IDs to a unique user ID. The rule 
then uses the unique user ID to correlate badge swipe IDs with user login IDs. 

For more about active lists, see also Creating an Active List" on page 470 and "Using Rules to 
Populate an Active List" on page 478. 


Example Overview 

For this example, consider a scenario where server machines with critical data reside in a secure area. 
Only users in a specialized group are allowed physical access to the server room (with badge swipe on 
a card reader) and user login permissions to the servers. This example assumes a policy against 
remote logins to the server room machines. 

We want to monitor and correlate user access to the server room (badge swipes) and user logins on the 
server machines, and take action (e-mail notification) if our access policies are violated. Some 
examples of policy violations that we want to catch are: 

• Cases where someone logged into a server but no badge swipe is registered. This could indicate 
policy violations such as remote logins or unauthorized server room entry (e.g., server room door 
was left open) 

• There is no matching badge swipe ID for a server console login (e.g., a user stole someone’s badge 
to get into the server room, then logged in to the server with a different user ID) 

This example assumes a pre-populated active list with values with a schema appropriate for storing 
information about user IDs. The active list keys off of user identifiers from various sources (e.g., user 
login, e-mail address, phone number) and map these variants to the same unique user ID (UUID). 

The UUID can then be used as a variable in a rule for correlating user login IDs with badge IDs. We’ll 
show how to create this rule, which leverages the user information collected in the active list. 
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Step 1 - Build and Populate the Active List with User 
IDs 

This example assumes that you have a pre-populated active list that maps user identifiers from various 
sources (badge ID, user login, e-mail, phone number) to unique user IDs (UUIDs). For the purposes of 
the example, we are interested in correlating badge IDs and user logins for users who log into critical 
servers. The active list (populated with our list of users) provides the “User Map” we need to derive 
each user’s unique ID. 

The active list definition includes the following two fields with names and types as shown. "User 
Identifier" is set as the key-field. This information is available in incoming events (badge swipes and 
user logins). Each user identifier is mapped to a UUID. Assume, forthis example, that we got this 
mapping from IT or Human Resources departments. The UUID value is the information we’ll want to 
extract from this list via a variable. 


Field Names for Session Lists 

Type 

Key Fields 

User Identifier 

String 

Enabled 

UUID 

String 
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Inspect/Edit 


Cf ? K 


(j) Active LrstUsev Map 
Attributes Notes 


cQa Add Entry 


• Name 
Opbmce Data 

• Capacity (xlOOO) 

• TTl Days 

• TTl Hours 

• TTl Mriutes 

Resource ID 
External ID 
Alias 

Desorption 
Version ID 
Content Version ID 
Oepreceted 

Owner 

Notfication Groups 

All Active lists 

Created By 
Creation Tune 
Time Since Creation 

last Updated By 
Last Update Time 
Time Since last Update 

(Name) 

(Desorption) 


User Map - 

□ 

10 

0 

0 

0 


□ 


* Data: 

Name 
User Identifier 


UUID 


Strng 

String 




Sub-type 


EE] Key F * 

! ey-Md 




yo 


Active List Name 


Fields: The active list indudes these 
fields. User Identifier, marked as the Key- 
field, is the value returned from various 
sources (badge, user login, etc.). 

The unique user ID (UUID) that the user 
identifier maps to is provided here through 
an LDAP system, or some other data 
source. This is the focus of this active list; 
to map various user IDs to this UUID. The 
UUID will be used as a variable in a rule. 


Populating an Active List with User Data 

There are various ways to populate an active list with this kind of user information: 

• Human Resources (HR) or IT database 

• Identity management system 

• Import from a CSV file (in the Navigator, right-click the active list and choose Import CSV File. 

See " Importing and Exporting an Active List" on page 483.) 
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• Manually add names to the list 


Tip: Note that this is a different type of task than populating an active list based on data 
gleaned from events (e.g., "Using Rules to Populate an Active List" on page 478). 

In this example, we already have the “map” and the values we need (the unique user IDs) 
provided in the active list, and we are going to feed them into a rule as a variable. 

In the other example (using rules to populate the active list), we are using a rule to add items to 
an active list and to discover and use values as items are added to the list. 


Here is an example of an active list pre-populated with user information. 


Viewer ri 1 ? x 


I © User Map Details 


Name: User Map 

Last Update: 4 Feb 2009 17:07:09 P5T 

Filter: No Filter 

9 shown / 9 matches 

User Identifier | 

UUID 

Creation Time 

Last Modified Time 

Count 

A 

badge0123 

SamanthaStevens 

3 Feb 2009 18:21... 

3 Feb 2009 18:21... 

1 

badgeID4156 

StephanieMartinelli 

3 Feb 2009 18:17... 

3 Feb 2009 18:17... 

1 


badgeID5245 

RobertJackson 

28 Jan 2009 16:3... 

3 Feb 2009 18:18... 

1 

rjackson 

RobertJackson 

28 Jan 2009 16:3... 

3 Feb 2009 18:18... 

1 

rjackson@xy 2 .com 

RobertJackson 

4 Feb 2009 15:50... 

4 Feb 2009 15:50... 

1 

samstevens 

SamanthaStevens 

3 Feb 2009 18:21... 

3 Feb 2009 18:21... 

1 

samstevens@abc.com 

SamanthaStevens 

4 Feb 2009 15:49... 

4 Feb 2009 15:49... 

1 

stephmartinelli 

StephanieMartinelli 

3 Feb 2009 18:17... 

3 Feb 2009 18:17... 

1 

stephmartinelli@xyz.com 

StephanieMartinelli 

4 Feb 2009 15:50... 

4 Feb 2009 15:50... 

1 


If you want to follow along with the example but don’t have a database or spreadsheet of user 
information handy, you can manually add example data: 

1 . Build and save the User Map active list definition as described in "Step 1 - Build and Populate the 
Active List with User IDs" on page 587. 

2. In the Navigator, right-click the User Map active list and choose Show Entries. 

The list is shown in the Viewer panel. 

3. Click the Add Entry button D at the top right of the list to get the Active List Entry Editor. 

4. Use the Active List Entry Editor to manually add user identifiers and unique user IDs. Click Add 
on the editor to add each line of data. To support the example, add at least two lines for each user. 
Keep the UUID the same, but the user identifiers different to illustrate the mapping. 


User Identifier 

UUID 

badge0123 

SamanthaStevens 
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User Identifier UUID 

samstevens 

SamanthaStevens 

badgelD5245 

RobertJackson 

rjackson 

RobertJackson 


Step 2 - Create a Rule that Uses Active List Values to 
Correlate User IDs 

Now that we have an active list that maps various user IDs to unique user IDs (UUIDs), we can create 
a rule that makes use of the active list to correlate events coming from the same user with different 
user IDs (such as a badge swipe ID and a server login ID). 

The following sections show how to define this example rule. 

Attributes 

On the Attributes tab, provide a name for the rule: Server Room Console Login Policy 
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Variable 

Next, we’ll define a variable we can use to find unique user IDs (UUIDs) in the active list we created in 
the previous step ("Step 1 - Build and Populate the Active List with User IDs" on page 587). 

To define a variable for finding unique UUIDs: 

1. Create a variable called UserMap: Click the Local Variables tab for your rule. 

2. Click Add to begin. Provide these values for the variable definition. 


Option Specify this Value 

Name 

UserMap 

Function 

From the List category: GetActiveListValue 

List 

UserMap 

This is the active list we created in the previous step ("Step 1 - Build and Populate 
the Active List with User IDs" on page 587). 

User 

Identifier 
(Active 
List Key 
field 

mapping) 

Target User ID 

Use the pull-down under “Field” to select Target User ID event field. 

For matching events, the rule uses the value in the Target User ID field as a 
lookup key in the active list. 

For example, if the Target User ID is a login ID of “samstevens”, a badge ID of 
“badge0123”, or an e-mail address of “samstevens@abc.com”, all of these resolve 
to a unique user ID of “SamanthaStevens” in the active list mapping. The variable 
value passed to the rule to be evaluated in a condition would be SamanthaStevens, 
the UUID for any of those user identifiers. 


The following example shows the variable definition on the Add Variable dialog. 
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3. Click OK to save the variable. 

The new variable is listed on the Local Variables tab as shown: 



Conditions 

We define the rule conditions so that each time a server machine login occurs, the rule conditions are 
evaluated. (The ServerRoomConsoleLogin condition causes this to happen.) 

Tip: For more information on using the Common Conditions Editor (CCE), see "Common 
Conditions Editor (CCE)" on page 864 and "Conditional Statements" on page 879. 

A comparison (Matching Event) is made between server room logins and badge swipe IDs in a 2- 
minute time window. The matching event uses our UserMap variable (see "Variable" on the previous 
page) to get the unique ID from the active list we built in the previous step ("Step 1 - Build and Populate 
the Active List with User IDs" on page 587). 

The rule is triggered in cases where you do not find a matching badge swipe ID for a user login. 

We define the rule conditions as follows. 


HP ESM (6.9.1c) 


Page 592 of 1106 





ArcSight Console User's Guide 
Chapter 21: Identity Correlation 


• The ServerRoomConsoleLogin condition finds server room machine logins via the event name and 
asset category. The summary of this condition is: 

SeverRoomConsoleLogin : ( Name = Console Login AND Target Asset ID InGroup{" / All 
Asset Categories/Server Room Machines/") ) 

This is the “start” condition that causes the rule conditions to be evaluated because it is looking 
for server logins. 

• We define a Matching Event condition that correlates server machine logins (one type of user 
identifier) with badge IDs used for server room entry (another type of user identifier) based on the 
unique user ID (UUID)from the Active List. 

We do this by using the UserMap.UUID variable we created for this purpose (see Variable" on 
page 591). 

Matching Event: SeverRoomConsoleLogin. UserMap.UUID = BadgeSwipe .UserMap.UUID 

If we find a badge ID matches for all server logins, the rule is not triggered. If there is a server login 
with no matching badge ID within our time window, the rule is triggered. 

• If someone logs in, we want to find a matching badge swipe ID for it. Since we are looking for users 
who logged in to servers but did not use their own badges to enter the room, we add a condition 
specifying that no badge swipe event (a negated Badge Swipe event) occurred for this user. So we 
add the event name called BadgeSwipe with condition Name = Badge Swipe Event, right-click 
the event name, and select Negated. This is to denote the event that did not occur. The summary of 
this condition is: 

! BadgeSwipe : Name = Badge Swipe Event 

The following examples show the rule conditions definition (Edit panel) and summary (Summary panel). 

Inspect/Edit o’ 7 ■ 

(3 Rule:Server Room Console logm... 

Attributes Conditions [ Aggregation ) Actions | Local Variables | Notes 

{} & no ];-> ^ Filters m Assets ^ Vulnerabilities ^ Active Lists ^ Joins 


Edt Summary 




Matching Event Condition: Correlates 


A ServerRoomConsoleLcgin. Event ID • BadgeSwipe.Event ID 


0 {} ServerRoomConsoleLogin 


e & and 


# Name = Console logri 


SB Assets 


# Target Asset ID InGroup(7AI Asset Categories/Server Room Machines/") 


0 {} ' BadgeSwpe 

# Name * Badge Swpe Event 


Negated Badge Swipe Event Condition: 

We are looking for users who logged in but 
did not use their own badges to enter the 
room. Adding this condition completes the 
scope of the conditions. When there is a 



server login, the rule correlates IDs (via the 
Matching Event), but triggers only if there is 
no matching badge swipe (this condition). 


Following is an example of a Rule Conditions Summary. 
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Aggregation 

For this example, use default aggregation settings. Aggregate on 1 match in a 2-minute timeframe. 

Actions 

1. Click the Actions tab for the rule to set up an action to take if the server room is breached. 

2. Select On First Event (this trigger is activated by default), right-click and choose Add > Send 
Notification to bring up the Add “Send Notification” Action dialog. 

3. Choose the Destination Group for the e-mail, type in a message, and click OK to add this action to 
the On First Event trigger. 

For this example, we chose SOC Operators as the Destination Group. Our message is “Server 
room breach”. 



4. Click OK to save the notification definition. 
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When the action is configured, it is displayed under the “On First Event” trigger as shown in the figure. 
According to this rule, a message is sent on the first trigger event; the first event in every time window 
that indicates a server room policy violation. 


Inspect/Edit 



? X 

U Rule: Server Room Console Login. .. 


Attributes 

Conditions Aggregation 

Actions 

Local Variables JjMotes 

Add f Edit X Remove Move Up w 

Move Down Hide Empty Triggers 


Al On First Event [ Active ] 

0 17 Send Notification 
I AckRequired: Yes 

NotificationMessage: Alert! Server room breach! 
Resource: /All Destinations/SOC Operators/ 

0 On Subsequent Events 
[A| On Every Event 

A| On First Threshold 

|A| On Subsequent Thresholds 

L*sl On Every Threshold 

1 A| On Time Unit 

Al On Time Window Expiration - Cumulative Rule Chain Is Off 


Click Apply or OK on the rule editor to save the example rule. 
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Queries 

Cases track individual or multiple related events and export event data to third-party products. Cases 
can stand alone or integrate with a third-party case management system, such as HP Service Manager 
or BMC Remedy. 

A case contains information about an incident, usually with one or more events attached. Use cases to 
track, investigate, and resolve events. Where cases are similar, you can copy events directly from one 
case to another. You assign cases of interest to analysts, who can investigate and resolve them based 
on severity and enterprise policies. You can also use rules to automatically open a case when certain 
conditions are met. 

You can assign cases to groups of users who receive a notification with access to the case and its 
associated data. Those users can take action on the assigned case and specify other actions to be 
taken, assign it to another user, or resolve the case. 


Creating or Editing a Case 596 

Managing Cases 604 

Working with Events in Cases 609 

Managing Case Groups 613 

Viewing Group Cases in a Grid View 614 

Running Case Queries 615 

Creating a Report from a Case 615 

Using External Case Management Systems 622 


Creating or Editing a Case 

This topic describes how to create or edit a case as part of an existing case group. You can have more 
than 1,000 cases per case group. If you have 1 ,000 cases or less, you can view them by expanding the 
case group node on the resource navigator tree. Beyond 1,000 cases, create an active channel or query 
viewer based on a filter for case group ID to view all cases in the group. See "Monitoring Events" on 
page 210 for details about active channels and query viewers. 

By default, you are only required to set the case’s Name field. HP provides the ability to customize 
fields on the Case Editor U I and mark them as mandatory, like the Name field. This is done through the 
assistance of HP Customer Support or HP Professional Services for ArcSight products. 
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To create or edit a case and define Initial settings: 

1 . Choose the Cases resource tree in the Navigator panel. 

2. If you are creating a case, right-click a case group and choose New Case; or choose the New 
Case option on the File menu. 

If you are editing a case, right-click and select the Lock Case to prevent others from modifying 
the case while you're editing it. Then right-click and choose Edit Case. 

If you forget to lock the case first, the case's editable fields are disabled. 

Caution: Rules can also automate making updates to existing cases based on event 
conditions. However, if a case is locked when the rule triggers, the rule action will fail to 
update the case. 

For details on the rule action on cases, refer to 'Rule Actions Reference" on page 520. 

3. In the Case Editor, select the Initial tab. Set each subtab as follows: 

a. See "Using the Initial - Attributes Tab" on the next page for details. 

b. See 'Using the Initial - Description Tab" on page 599 for details. 

c. See "Using the Initial - Security Classification Tab" on page 600 for details. 

4. Select the Follow Up tab. See "Using the Follow Up Tab" on page 600 for details. 

5. Select the Final tab. Set each subtab as follows: 

a. See "Using the Final - Attack Mechanism Tab" on page 601 for details 

b. See "Using the Final -Attack Agent Tab" on page 601 for details. 

c. See "Using the Final - Incident Information Tab" on page 602 for details. 

d. See "Using the Final - Vulnerability Tab" on page 602 for details. 

e. See 'Using the Final - OtherTab" on page 603for details. 

6. Select the Events tab. See "Using the Events Tab" on page 603 for details. 

7. Select the Attachments tab. See "Using the Attachments Tab" on page 604 

8. For the optional Common section, refer to " Common Resource Attribute Fields" on page 685. 

9. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

10. Click OK. 
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Using the Initial - Attributes Tab 

The fields on a case's Attributes Tab provide basic case information. 


Case Section 


Field 

Description 

Name 

Required field specifying name of case. 

Display 

ID 

An identification provided by an external tracking system. Automatically assigned when a 
new case is first saved. 


Ticket Section 


Field 

Description 

Ticket Type 

Drop-down list includes Internal, Client, and Incident types. 

Stage 

Indicate workflow stage of ticket; default selections include Queued, 
Initial, Follow-Up, Final, and Closed. See also "Creating or Editing 

Stages" on page 280. 

Frequency 

Indicates how often reported issue occurs. Values assigned are 0 
(never or once), 1 (less than lOtimes), 2(10to 15times), 3(15times), 

4 (more than 15) 

Operational Impact 

Impact of reported issue. Values assigned are 0 (no impact), 1 (no 
immediate impact), 2 (low priority impact), 3 (high priority impact), 4 
(immediate impact) 

Security Classification 

Values assigned are 1 (Unclassified), 2 (Confidential), 3 (Secret), 4 
(Top Secret) 

Consequence Severity 

Values assigned are 0 (None), 1 (Insignificant), 2 (Marginal), 3 
(Critical), 4 (Catastrophic) 

Reporting level 

Number calculated based on Ticket values entered. 

Tip: You can use entries in all case Ticket fields to generate reports so you can categorize cases 
based on specific case information. 


Incident Information Section 


Field 

Description 

Detection 

Time 

Automatically assigned based on the first event that is added to a case. Time is 
based on the Manager’s system time. After assignment, the value does not change 
even if you add events or remove existing events. 
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Incident Information Section, continued 


Field 

Description 

Estimated 

Start Time 

Automatically assigned based on the Manager Receipt Time (MRT) of the oldest 
event attached to the case, even if more recent events have been added to the case 
prior to this oldest event. If you remove this oldest event from the case, Estimated 
Start Time takes the MRT of the next oldest event in the case, and so on. If you 
remove all events from the case, the field will be blank. 

Estimated 

Restore Time 

This is a user-entry field to denote the date when the case is resolved. Select a 
timestamp from the calendar popup. 

Property 

Usage 

Ticket Type 

The drop-down list includes Internal, Client, and Incident types. 

Stage 

Selections indicate workflow stage of ticket; default selections include Queued, 
Initial, Follow-Up, Final, and Closed. (See also "Creating or Editing Stages" on 
page 280.) 

Frequency 

Indicates how often reported issue occurs. Values assigned are 0 (never or once), 1 
(less than 10 times), 2 (10 to 15 times), 3 (15 times), 4 (more than 15 ). 

Operational 

Impact 

Impact of reported issue. Values assigned are 0 (no impact), 1 (no immediate 
impact), 2 (low priority impact), 3 (high priority impact), 4 (immediate impact). 

Security 

Classification 

Values assigned are 1 (Unclassified), 2 (Confidential), 3 (Secret), 4 (Top Secret). 

Consequence 

Severity 

Values assigned are 0 (None), 1 (Insignificant), 2 (Marginal), 3 (Critical), 4 
(Catastrophic). 

Reporting 

Level 

Calculated based on Ticket info values entered. You can also use entries in all Case 
Ticket fields to generate reports so you can categorize cases based on specific 
case information. 

Incident 

Information 

Automatically populated based on events included in the case. 


Assign Section 


Field 

Description 

Owner 

One or more ESM users designated as owner(s) of the case. 

Notification Groups 

One or more notification groups to be notified about the case. 


Using the Initial - Description Tab 

The fields on this tab further describe a case. Enter information as required by your business. 
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Case Editor Description Tab 


Field Description 

Affected Services 

Text field allowing entry of up to 4000 characters. 

Affected Elements 

Text field allowing entry of up to 4000 characters. 

Estimated Impact 

Text field allowing entry of up to 4000 characters. 

Affected Sites 

Text field allowing entry of up to 4000 characters. 


Using the Initial - Security Classification Tab 


The fields on this tab describe the security classification for a case. 

Security Classification Section 


Field 

Description 

Attack 

Mechanism 

Options include: P (Physical), O (Operational), 1 (Informational), and U 
(Unknown) 

Attack Agent 

Options include: 1 (Insider), C (Collaborative), O (Outsider), and U (Unknown) 

Incident Source 1 

Editable text. 

Incident Source 2 

Editable text. 

Vulnerability 

Options include: D (Design), O (Operational), E (Operational Environment), and 

U (Unknown) 

Sensitivity 

Options include: U (Unclassified), C (Confidential), S (Secret), and T (Top 

Secret) 

Associated 

Impact 

Options include: A (Availability), C (Confidentiality), 1 (Integrity), and U 
(Unknown) 

Action 

Selections include: B (Block/Shutdown), M (Monitoring), and O (Other) 


Security Classification Code Section 


Field 

Description 

Code 

Value automatically calculated from other Security Classification field entries. 


Using the Follow Up Tab 

The fields on this tab describe follow-up entries for a case. Enter information as required by your 
business. 
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Case Editor Follow-Up Tab 


Field Description 

Actions Taken 

Text field allowing entry of up to 4000 characters. 

Planned Actions 

Text field allowing entry of up to 4000 characters. 

Recommended Actions 

Text field allowing entry of up to 4000 characters. 

Followup Contact 

Text field allowing entry of up to 4000 characters. 


Using the Final - Attack Mechanism Tab 


The fields on this tab provide final ticket resolution and reporting information for the attack mechanism 
associated with a case. 

Case Editor Attack Mechanism Tab 


Field Description 

Attack Mechanism 

Auto-populated from Security Classification tab. Possible values are P 
(Physical), O (Operational), 1 (Informational), and U (Unknown). 

Attack Protocol 

Text field allowing entry of up to 64 characters. 

Attack OS 

Text field allowing entry of up to 64 characters. 

Attack Program 

Text field allowing entry of up to 255 characters. 

Attack Time 

Date field. Defaults to the current time. Set by choosing values from the 
calendar. 

Actions Target 

Text field allowing entry of up to 4000 characters. 

Attack Service 

Text field allowing entry of up to 4000 characters. 

Attack Impact 

Text field allowing entry of up to 4000 characters. 

Final Report Action 

Text field allowing entry of up to 4000 characters. 


Using the Final - Attack Agent Tab 

Fields on this tab provide ticket resolution and reporting information related to the attack agent 
associated with a case. 
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Case Editor Attack Agent Tab 


Field Description 

Attack Agent 

Auto-populated from Security Classification tab. Possible values are 1 (Insider), 

C (Collaborative), O (Outsider), and U (Unknown). 

Attack Location Id 

Text field allowing entry of up to 255 characters. 

Attack Node 

Text field allowing entry of up to 255 characters. 

Attack Address 

Text field allowing entry of up to 255 characters. 


Using the Final - Incident Information Tab 


The fields on this tab provide final incident information associated with a case. 

Case Editor Incident Information Tab 


Field Description 

Incident Source 1 

Auto-populated from Security Classification tab. 

Incident Source 2 

Auto-populated from Security Classification tab. 

Incident Source Address 

Text field allowing entry of up to 200 characters. 


Using the Final - Vulnerability Tab 


The fields on this tab provide final ticket resolution and reporting information related to the 
vulnerabilities associated with a case. 

Case Editor Vulnerability Tab 


Field 

Description 

Vulnerability 

Auto-populated from Security Classification tab. Possible values are D 
(Design), O (Operational), E (Operational Environment), and U (Unknown). 

Vulnerability Type 1 

Selections include: Accidental or Intentional 

Vulnerability Type 2 

Selections include: EMI/RFI, Insertion of Data, Theft of Service, 

Unauthorized, Probes, Root Compromise, DoS Attack, User Account 

Vulnerability 

Evidence 

Text field allowing entry of up to 4000 characters. 

Vulnerability Source 

Text field allowing entry of up to 4000 characters. 

Vulnerability Data 

Text field allowing entry of up to 4000 characters. 
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Using the Final - Other Tab 


The fields on this tab provide miscellaneous ticket resolution and final reporting information. 

Case Editor Other Tab 


Field 

Description 

History 

Selections include: Known Occurrence and Unknown 

No Occurrences 

Numeric value 

Last Occurrence Time 

Enterable time or selector. 

Resistance 

Selections include: High, Low, Unknown 

Consequence Severity 

Auto-populated from Initial Attributes tab 

Sensitivity 

Auto-populated from Initial Attributes tab 

Recorded Data 

Text field allowing entry of up to 4000 characters. 

Inspection Results 

Text field allowing entry of up to 4000 characters. 

Conclusions 

Text field allowing entry of up to 4000 characters. 


Using the Events Tab 

The fields on this tab provide a list of the events included in a case. See the following topics for details 
on how events are added to the case: 

• "Working with Events in Cases" on page 609 

• "Applying Rule Actions on Cases" on page 527 

Case Editor Events Tab 


Field Description 

Description 

Events auto-populated from events included in a case. 

Event 1 nfo 

and 

Payload 

fields 

For selected events, displays event field values and if available, payload fields. If a 
rule created or updated the case, the tab displays the rule correlation event that 
triggered updates on the case. Additionally, if also configured in the rule, the correlated 
base events are included. 
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Using the Attachments Tab 

This tab lists attachments (if any) for the case, and provides options to attach new items via a file 
browser or detach items. 

Click Attach, browse the location of the file select it, and click OK. 

Note: Files attached to the case are stored along with the case, and additionally stored in the Files 
resource. Space usage may eventually increase. To manage space usage, see the Best Practices 
section in the topic, "Best Practices on Attaching Files to a Case" on the next page 


Managing Cases 

This topic describes the basic tasks necessary to create, manage, and delete cases. 

Cases can be created and automatically updated as a rule action when the conditions of the rule are 
met by incoming events. You can also add an event to a case directly from resources that monitor 
events, such as active channels and dashboards. 

By default, you are only required to set the case’s Name field. Beginning with ESM 6.5c SP1 , HP 
provides the ability to customize fields on the Case Editor U I and mark them as mandatory, like the 
Name field. This is done through the assistance of HP Customer Support or HP Professional Services 
for ArcSight products. If you have upgraded from an older ESM version, verify if mandatory fields have 
been defined to suit your business requirements after the upgrade. If so, note that cases created in the 
previous version will now have the required fields. If you view the old cases on the Case Editor U I in 
ESM 6.5c SP1, you will not be able to close the case’s Inspect/Edit panel without setting the required 
fields. 


Finding Cases 

You can locate a particular ArcSight case by its reference ID if you want. 

1 . Right-click a group in the Cases resource tree and choose Edit Case by ID. 

2. Enter the ID string in the dialog box and click OK to display it in the Case Editor. 

When working from cases listed in a Viewer panel channel view, you can locate a particular case's 
position in the Navigator panel's resource tree. 

1 . Right-click a case in the channel grid view and choose Find Case in Navigator. 

2. Look for the highlighted item in the Navigator panel's Cases resource tree. 


HP ESM (6.9.1c) 


Page 604 of 1 1 06 


ArcSight Console User's Guide 
Chapter 22: Case Management and Queries 


Attaching a File to a Case 

Make sure that since installing the Console you have logged in at least twice before attaching a file. A 
second login solves an authentication problem that can prevent you from attaching or uploading a file. 

To attach a file: 

1 . Open an existing case and click Lock to edit it. 

2. Click Attachments and attach by uploading the file. 


Field Description 

File Name 

The default is the uploaded filename, which you can change. 

Attachment 

Name 

A descriptive name for the file. This name can differ from the actual file name, and 
can include spaces. If you do not provide an alternative name here, the original file 
name is used. 

Attachment 

Description 

Optional description of the file. 

Sharing 

Click Share this file in Arcsight if you want to make the file available as a 
shared resource on the ArcSight Manager 

Mime Type 

Read-only field that indicates the Multipurpose Internet Mail Extensions (MIME) 
type of the attached file. 

Encoding 

Text encoding; for example, you could select Chinese text for internationalization 
requirements. 


3. Click Attach. 

The Attachments tab displays the list of attached files. A file resource is created for each 
attachment. See Managing File Resources" on page 671 for additional information. 

4. Select a file to view its summary. From the summary view, you can attach or detach a file. 

■ Attach: attaches the file to the case. 

■ Detach: removes the file from the case. 

5. Unlock the case if you want the case available for editing by other administrators. 

Best Practices on Attaching Files to a Case 

ESM automatically creates a file resource for every file that you attach to a case. These file resources 
are stored in /All Files/Attachments. If you are creating packages of such cases, the package will 
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also include the actual attachments. This means the attachments exist twice in the database, as file 
resources and as part of the package. You should therefore consider the size of the attachment files; 
for example, attachments of 20 Mb and above use up a lot of space. If you are creating case packages 
every month for backup purposes, the space usage will increase exponentially since additional file 
resources are created. 

To manage space usage, you can do the following: 

• Avoid attaching multiple large files to a case. Keep those files in a safe and separate repository. 
Create a single file containing a list of pointers to the location of related files and attach that list to 
the case instead. 

• If cases are closed, consider packaging them, exporting the packages to a separate and safe 
repository, then deleting the cases from ESM. When cases are deleted, the case attachments (the 
file resources) are also deleted. 

For more information about creating packages and exporting them, see Managing Packages" on 
page 693. 

Viewing a Case Attachment 

Once a file is attached to a case, anyone viewing the case can view details about the file and download 
it. To do this, open a case and click the Attachments tab, which lists files attached to the selected 
case. Right-click a file name and choose Open to open the file or Download to download the file to 
your local system. 

If you click Download, you get a file browser in which to navigate to the local directory where you want 
to store the file. In the File Name field, type the name under which you want to store the file on your 
local system and click Save. The file is saved as specified. 

If the case attachment was also added as a shared resource, the file is available in the ArcSight 
Manager Files resource folders. To access a shared file, choose Files in the Navigator and browse the 
folders, or choose Edit > Find Resource from the menus, enter the file name in the Search query 
field, and click Find. (See "Finding Resources" on page 687 for more information on this utility.) 


Tracking Modifications to a Case 

A case’s Notes tab includes information on changes to that case. You can also view audit events on 
multiple cases on the event viewer panel (see 'Monitoring Events" on page 210 for different 
methodologies of displaying events). 

Viewing the Case’s Notes Tab 

The lower part of a case’s Notes tab contains information on changes made to the case. The changes 
are presented in two formats: the Table subtab presents, in row format, the date, the case’s owner, and 
the author of the change. The List subtab contains the corresponding information plus the specific 
changes made, for example: 
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[0] Author: admn Date: 29 Jan 2014 12:02:37 PST 
Case changed by user 'admin' 

The change{s) are as folows 
Ticket Type: [Internal] -> [Client] 

Stage: [Queued] •> [Initial] 

Frequency: [0] -> [2] 


Creating an Event Viewer for Cases’ Internal Audit Events 


Note: Fora user to be able to view internal audit eventsl, that user must belong to a group that has 
access to the following filter: 

/All Filters/ArcSight Administration/ESM/System Health/Events/Audit/ArcSight 
Audit Events 

This filter is added to the group’s ACL Editor settings on the Events tab and applies to audit events 
for all resources. Refer to "Adding or Removing Enforced Filters" on page 196 for instructions. 

Through an active channel, query viewer, or data monitor using the proper filter, you can view details on 
modifications done to cases. 


Refer to "Monitoring Events" on page 210 for the different ways to create an event viewer. Use the 
following fields in your event viewer to capture audit events related to the case: 


Field or Column 

Displayed Information 

Name 

Event name, for example, Case updated or Note inserted. 

File Name 

The case’s name 

Target User Name 

The user who made the change 

Device Custom 

String3 

(Label: AttachedTo) 

For the “Note inserted” event, the resource type, Case, to which the note 
is attached 

Device 

CustomString4 

(Label: 

AttachedTolD) 

For the “Note inserted” event, the resource ID of the case to which the 
note is attached 

Device 

CustomString5 

(Label: 

AttachedToName) 

For the “Note inserted” event, the display name of the case to which the 
note is attached 


Tip: You can copy the resource ID displayed in Device Custom String4.AttachedToID), paste 
it into the Console’s search box, and go to the actual case resource. 
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Moving or Copying a Case to a Group 

While moving a case, you can choose to move it completely, make a separate copy, or make a copy 
that is still linked to the original. 

1 . I n the Cases resource tree, navigate to a case and drag and drop it into another group. 

2. Choose Move to move the case, Copy to make a separate copy of the case, or Link to create a 
copy of the case that is linked to the original case. 

If you choose Copy, you create a separate copy of the case that is not affected when the original case 
is edited. If you choose Link, you create a copy of the case that is linked to the original case. 
Therefore, if you edit a linked case, whether the original or the copy, all links are edited as well. When 
deleting linked cases, you can either delete the selected case or all linked case copies. 


Granting Permission to Delete Cases 

By default, new user groups added under Custom User Groups are not allowed to delete cases. The 
ability to delete cases is controlled by the permission, /All Permissions/ArcSight System/Case 
Operations/Case Delete, set in the group’s ACL Editor on the Operations tab. 



A user can belong to multiple groups. If at least one of those groups have permission to delete cases, 
then the user will have the ability to do so; the permission to delete cases takes precedence. 

To grant or remove permission to delete cases: 

1. Right-click the user group and choose ACL Editor. 

2. Follow the instructions in "Granting or Removing Operations Permissions" on page 192 to grant or 
remove the /All Permissions/ArcSight System/Case Operations/Case Delete permission 
on the ACL Editor’s Operations tab. 

3. If you are granting permission to delete cases, go to the Resources tab: 

a. Follow the instructions in "Granting or Removing Resource Permissions" on page 190 to add 
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the /All Cases/All Cases to the list of resources, 
b. Check the R and W boxes to grant read and write access. 


Deleting a Case 

Caution: Prior to deleting cases, decide if you want to preserve them after deletion. If so, add this 
property (or ask an administrator to add it) in the server, properties file before deleting any 
cases: 

case. archive_ondelete.enabled=true 

The archived deleted cases are stored as read-only snapshots for historical purposes in the 
Manager’s archive/cases directory. The filename format of the archived case is 

YYYY-MM-DD <deLeted case name>. xml 

For important details on changing properties files, refer to the topic, “Managing and Changing 
Properties File Settings” under the “Configuration” section of the ESM Administrator’s Guide. 

There are two conditions where you cannot delete a case (right-click option to delete the case is 
disabled): 

• The case is locked. 

. You belong to a user group that does not have permission to delete cases. This permission, /All 
Permissions/ArcSight System/Case Operations/Case Delete, is granted through a user 
group’s ACL setting. 

To delete a case: 

1. In the Cases resources tree, unlock the case you want to delete, if necessary. 

2. Right-click a case and choose Delete Case. 

3. In the dialog box, click Yes. 


Note: For related information on the effect on linked cases, see Moving or Copying a Case to 
a Group" on the previous page. 


Working with Events in Cases 

This section describes the process of adding and viewing events associated with cases. The case’s 
Events tab displays events that were added to the case. Events are added to the case through any of 
these methods: 
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• Automatically through a rule. The correlation event that triggered the creation or the update of the 
case is automatically added to the case’s Events tab. The correlated base events are also included 
if the rule author selected this option. See "Including Base Events through a Rule" below. 

• Manually from an event grid such as active channel, data monitor, or query viewer. See Creating or 
Updating a Case from Displayed Events" on the next page. 

• Manually from another case’s event channel. Seethe topic, "Copying Event Details from Case to 
Case " on page 612. 

The events added to a case are attached to the case itself, therefore preserving case event history over 
time. See also "Collaborating on Events (Event Annotation)" on page 277. 


Viewing a Case's Events in a Channel 

ESM provides two ways to view the events attached to a case: 

• Right-click a case on the resource tree and select Case Details Channel. 

• Create an active channel by following the instructions in "Creating or Editing an Active Channel" on 
page 213, and use the filter condition, InCase, to identify the case to be evaluated. 

Both channel types are static. This means the channel evaluates the case once, and then displays the 
events found in the case at that time. In an active channel using the filter with an InCase condition, the 
filter evaluates for a True or False condition. If events are attached to the case at that time of evaluation 
(the condition evaluates toTrue), these events are displayed on the channel, afterwhich further 
evaluation stops. Even if the active channel using the InCase filter condition is set with the 
Continuously Evaluate option, new events added to the case itself after the initial evaluation are not 
displayed. 

To update (refresh) the Case Details Channel or the active channel that uses the 
InCase filter: 

Close, then re-open the channel. 


Including Base Events through a Rule 

You can define a rule action to add events to a case. By default, if a rule action creates or updates a 
case, the case’s Events tab automatically includes the correlation event generated by the rule. You can 
also configure that same rule to include base events to be part of the case’s events. See "Rules 
Authoring" on page 493 and the Case rule action listed in "Rule Actions Reference" on page 520. After 
base events are included, you can view them on the case’s Events tab by expanding the correlation 
event. 
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Creating or Updating a Case from Displayed Events 

Caution: Events added to a case are accessible in the context of that case to any user who has 
permissions to view or edit the case. Users who do not have permissions on the events 
themselves have permissions to view full events in the context of a case to which they are 
assigned. 

As a best practice, keep this in mind when adding events to a case and setting access control lists 
(ACLs) on cases. For more information on ACLs, see "Granting or Removing Resource 
Permissions" on page 190. 

You can create or update cases directly from the Viewer panel while you are monitoring suspicious 
events. The events you select for the case are displayed on the case’s Events tab. 

To add events to a case: 

1 . If you are using this procedure to add events to an existing case, make sure the case is locked to 
prevent others from making changes to the case while you are working on it. 

On the event grid view, select one or more events. 

2. Right-click a case and choose Case Details Channel. 

3. Right-click and choose one of the following: 

■ Add to Case > New Case to create a new case. 

■ Add to Case > Case in Editor if you already have the case displayed on the Inspect/Edit 
panel. 

Note: Here are additional options for adding events to cases. 

o If there are multiple Case Editors open when you choose Add to Case > Case in 
Editor, the selected events are added to the Case Editor in focus (showing on top of the 
others). 

o If no Case Editors are currently open but you choose Add to Case > Case in Editor 
option anyway, a new case is created and the selected events are added to it. 

■ Case > Other to bring up the Case Selector dialog. Navigate to the case where you want to add 
the events, select the case, and click OK. 

The selected events appear in the Case Editor on the Events tab. 

4. For new cases, follow additional instructions in "Creating or Editing a Case" on page 596. 
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5. Click OK. 

Console adds the events and displays the destination case’s Events tab. 

6. To view the added events on this tab, expand Other selected Event(s). 

Tip: Events related to a case are preserved in the case’s Events tab for tracking purposes 
even after the retention period where the events would typically age out of the database. 
However, on the channel, the events are available based on the retention period of the Default 
Storage Group. For details on the retention period and how to change it, refer to the 
Administration section of the ArcSight Command Center User’s Guide. See the topic, 
“Storage,” for information about editing the retention period of Default Storage Group. 

7. To view the added events on this tab, expand Other selected Event(s). 


Copying Event Details from Case to Case 

Within the same ESM installation, you can copy event details from Case A to Case B, for situations 
where those two cases are similar but tracked separately. If Case A is deleted, the copied events in 
Case B are still available on Case B’s Events tab. You can only copy event details between two 
existing cases. 

To copy events directly from the source case: 

1 . Open the destination case for editing and lock it. 

2. Display the source case’s Events tab, right-click the event(s), and choose Add Event(s) to 
Case. 

3. On the Case Selector popup, select the destination case. 

Console adds the events and displays the destination case’s Events tab. 


Note: You can also copy events into a case from any event viewer, like an active channel, 
query viewer, case details channel, or data monitor. See Creating or Updating a Case from 
Displayed Events" on the previous page. 


Deleting Events from a Case 

1. In the Cases resource tree, right-click a case and choose Edit Case. 

2. I n the Case Editor, select the Events tab. 
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3. Select one or more events. 

4. Right-click and choose Remove from Case. 

5. In the dialog box, click Yes. 


Managing Case Groups 

Case groups are created to store similar groups or cases in a single location. Groups can be created 
within groups to meet enterprise needs. 

Caution: Do not exceed more than 10,000 resources in a group. 

You can manage groups and cases with drag and drop functionality. Move or copy groups and cases 
into other groups from the Cases window. If a group is deleted, the cases within that group are also 
deleted. 


Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 


To create a case group: 

1 . From the Navigator Panel drop-down menu, select Cases. 

Cases are displayed in different colors based on the assigned "Consequence Severity" in the 
case. The severity descriptions are Catastrophic (Dark Red), Critical (Red), Marginal (Orange), 
Insignificant (Green), or None (Gray). 

Note: Before being able to edit a case that has already been saved, you need to lock the case 
by selecting the Lock Case checkbox, so other users cannot modify the case while you're 
editing it. 

2. In the Cases resource tree, right-click a group and choose New Group. 

3. A Name text field appears under the group you selected. 

4. In the name text field, type in a name. 

5. Press Enter. 
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To rename a case group: 

1. In the Cases resource tree, right-click a group and choose Rename. 

2. In the Name text field, rename the group. 

3. Press Enter. 

To edit a case group: 

1. In the Cases resource tree, right-click a group and choose Edit Group. 

2. In the Group Editor, edit the Name and Description text field. 

3. Click OK. 

To move or copy a case group: 

1. In the Cases resource tree, navigate to a group and drag and drop it into another group. 

The ArcSight Console displays a dialog box with drag-and-drop options. 

2. Choose Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you choose Copy, you create a separate copy of the group that is not affected when the original 
group is edited. If you choose Link, you create a copy of the group that is linked to the original group. 
Therefore, if you edit a linked group, whether the original or the copy, all links are edited as well. When 
deleting linked groups, you can either delete the selected group or all linked groups. 

To delete a case group: 

1. In the Cases resource tree, right-click a group and choose Delete Group. 

2. In the dialog box, click Yes. 

Deleting a case group means all cases under the group are deleted. If you delete a linked group, the 
original group is also deleted. 


Viewing Group Cases in a Grid View 

When you right-click a case group in the Cases resource tree in the Navigator panel, and choose Show 
Cases, you see that group's cases listed in a Case Details view in the Viewer panel. Click any case in 
the grid to work with it individually. You can also: 
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• Right-click any column heading to get a menu of column configuration options. 

• Right-click any individual case's fields to get a menu of case handling options, described below. 


Option 

Description 

Edit Case 

Open a case in the Inspect/Edit panel for editing. 

Delete Case 

Delete the selected case. 

Case Detail Channel 

Display the base events added to the case. 

Export to external system 

Export the case to an external tracking system. 

Edit Case by ID 

Find a case by its Display ID value. 

Find Case in Navigator 

Expand the group where this case belongs and highlight the case. 

Lock Case 

Prevent other users from making changes to the case. 


Running Case Queries 

You can create a specific case search group based on a the value of a particular case attribute. The 
search group is updated with all cases matching the condition. 

To set up a case search group: 

1 . Choose the Cases resource tree in the Navigator panel. 

2. Right-click a group in the tree and choose New Search Group. 

3. Give the search group a suitable name. 

4. On the Conditions tab, add a case condition. For example, if you want this search group to contain 
all cases owned by CaseAdmin, the condition would say 

Owner = CaseAdmin 

The search group is populated with all cases assigned to CaseAdmin. The search group is updated as 
CaseAdmin’s assignments change. 


Creating a Report from a Case 

You can run a simple report using one of the following ways: 
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• If your case group consists of up to 1000 cases, you can view all of its cases on the resource 
navigator tree from which you choose the case and run the report for it. 

• If your case group consists of more than 1 000 cases, create an active channel based on a filter for 
case group ID (see "Creating or Editing an Active Channel" on page 21 3 for additional details) from 
which you choose a case and run the report for it. 

You run a case report one case at a time. 

ArcSight provides the convenience of a simple case report template that includes its underlying query, 
which you can use as is. The output is a simple two-column report that is rotated so that columns 
(composed of the case attributes) are turned into rows, therefore making the report readable. You can 
also customize the template by adding case fields. 

Related topics: 

• "Running Case Reports and Setting Default Parameters" below 

• "Customizing the Case Report" on page 619 


Running Case Reports and Setting Default 
Parameters 


To run a case report and set default parameters: 

1. On the resource navigator pane or on a case channel, right-click the case and choose Run Case 
Report. 

The Case Report Parameters is a simplified dialog box derived from the regular report resource’s 
parameters dialog box: 


£ Case Report Parameters 


ss r 


Set Parameters 


Name 

□ Common Parameters 


Value 


Report Format 
Page Size 
Email to 

Email addresses 
Email Format 
Email Subject 


pdf 

Letter [8. 5x11 in] 


Send URL 
JingsCase 


[ OK | | Cancel | | Help | 


2. Set the default parameters as follows: 
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Report Parameter Values 


Common 

Parameters Description 

Report 

Format 

From the drop-down menu, select one of the following report output formats: 

■ pdf - Outputs the report as an Adobe PDF file. 

■ xls - Generates a Microsoft Excel file for tables and charts. 

Note: XLS reports you run with Microsoft Excel 2002 might have page break 
format problems (misalignments, column spillover) due to default page size 
settings in Excel. To correct this problem, open the resulting XLS report in 
Excel, choose File > Page Setup from the menus, change the paper size to 
Letter (instead of Legal), and click OK to save your changes. The report has 
the appropriate page break formatting. This problem does not occur in newer 
versions of Microsoft Excel. 

Note: XLS report formats display speedometer charts as pie charts. This is a 
known limitation in Microsoft Excel. 

■ rtf - Produces a rich-text format document. 

■ csv - Creates tabular data as a list of comma-separated values. 

Note: Reports generated in CSV format are not the full equivalent of exports 
to other formats like PDF or HTML. CSV format is useful for loading report 
data into a spreadsheet for further manipulation. Since CSV is meant to 
contain tabular data, only the table data of a report is normally useful. 

Therefore, ArcSight exports only the table data portion of a report to CSV 
format, ignoring any other report information such as charts or text, including 
report titles. 

■ html - Generates the report in a Web page displayed by the default web 
browser. 

Your selection affects your choice for e-mail formats. See description for Email 
Format, another report parameter, in this table. 

The output file is created at report runtime and is stored in the Archived Report 
Group corresponding to the report’s group. See the Archives tab on the report’s 
edit panel. 

Page Size 

From the drop-down menu, select a paper size. 
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Report Parameter Values, continued 


Common 

Parameters 

Description 

Run as 

User 

Run the report as a particular user. From the drop-down menu, select the user 
name by which you would like to run the report. 

For example, this option would allow an administrator for a Managed Security 
Service Provider (MSSP) to run report for a customer. The administrator would 
need write permissions to the user. 

Note: This option is not available for case reports. 

Email to 

You can have the report sent as e-mail to one or more ArcSight users. 

From the drop-down menu, select the Console users to whom the report should 
be e-mailed. The selection list is read from the Users resource). 

The recipient will only see his or her user name in the To field even if there are 
multiple recipients for this report. 

Handling empty reports: If you are emailing reports, empty reports will also be 
sent. This is determined by the server property, report, scheduler. notify_ 
empty_reports, which is set to true. If you don’t want empty reports to be sent, 
add the property to the server . properties file and change the setting to false. 
Follow the instructions in the ESM Administrator’s Guide on how to edit this file. 
The details are in the guide’s Configuration chapter, topic on Managing and 
Changing Properties File Settings. 

Email 

addresses 

Send the report to one or more comma-separated or semicolon-separated e-mail 
addresses. This option does not require the recipient to be an ArcSight user. 

Note: The recipient will only see his or her e-mail address in the To field even if 
there are multiple recipients for this report. 
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Report Parameter Values, continued 


Common 

Parameters Description 

Email 

Format 

Specify how the report is to be accessed by the recipient. 

■ Choose Send URL if you want to point users to the report. Use this option if 
the report is large and is saved (archived) to a network-accessible location 

You can provide URLs for all report formats: PDF, XLS, RTF, CSV, and 

HTML. 

■ Choose Attach Report if you want to send the report directly to the user's e- 
mail box. 

You can only attach PDF, XLS, RTF, and CSV report formats. 

■ Choose Attach Compressed Report if you want the PDF, XLS, RTF, or 

CSV report to be compressed (zipped) first before mailing. 

■ If you want to display the report on the e-mail message body so that the 
recipient immediately sees the report upon opening the e-mail, select Embed 
Report. 

You can only embed CSV and HTML report formats. 

Note: If you select an email format for an unsupported report format, the 
notification automatically uses the URL. 

Email 

Subject 

Specify the subject on the notification. Defaults to the report’s Name attribute 
(denoted by $ReportName). If you want to use a customized subject, type the 
text either in addition to the default or replace the default text entirely. 


3. Click OK. 

4. Respond to the prompt to open the report for viewing or to save it to a directory of your choice. 


Customizing the Case Report 

Customizing the case report gives you the flexibility of adding case fields that you need and removing 
case fields that you don't need. 

The basic case report, Selected Case Report, and its underlying query, Selected Case Query, are 
provided as part of the ArcSight standard content under /All Reports/ArcSight 
System/Core/Selected Case Report and /All Queries/Arcsight System/Core/Selected 
Case Report/Selected Case Query . This case report, at a minimum, has a name and a query on a 
case ID. You can copy this report as a template and change the copy to add or remove fields in the 
report. 

By default, Selected Case Query includes the following fields for Selected Case Report: 
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Fields in Selected Case Report 


Name 

Alias 

Create Time 

Creator 

Description 

Modification Time 

Owner 

Consequence Severity 

Operational Impact 

Security 

Classification 

Stage 

Ticket Type 

Reporting Level 

Frequency 

Detection Time 

Estimated Restore 

Time 

Estimated Start Time 

Incident Source 1 

Incident Source 2 

Incident Source 

Address 

Affected Elements 

Affected Services 

Affected Sites 

Estimated Impact 

Action 

Associated Impact 

Attack Agent 

Attack Mechanism 

Security Classification 

Code 

Sensitivity 

Vulnerability 

Actions Taken 

Followup Contact 

Planned Actions 

Recommended 

Actions 



If you want to change fields in the case report, copy both Selected Case Report and Selected Case 
Query into a resource group of your choice (as shown in the procedures), then modify the copies. 


Follow all procedures in this topic according to the sequence: 

• "Customize Selected Case Query" below 

• "Customize Selected Case Report" on the next page 

• "Add a Server Property for the New Report URI" on the next page 

Customize Selected Case Query 

This topic explains how to add fields (columns) in the report query so that they are included in the case 
report. In this procedure, we will add the following fields: 

Attack OS 
Attack Impact 
Attack Target 

To customize Selected Case Query: 

1. Copy Queries/Shared/All Queries/ArcSight System/Core/Selected Case 

Report/Selected Case Query into a custom query group of your choice and rename it, for 
example: 

Queries/Shared/All Queries/Public/CW3 Selected Case Query 


HP ESM (6.9.1c) 


Page 620 of 1106 


ArcSight Console User's Guide 
Chapter 22: Case Management and Queries 


Keeping this copy in the Public node makes it accessible to all. 


Caution: You can change the copied query’s name, but keep the Query On = Case setting. 


2. On the copied query’s Fields tab, click Add ‘SELECT’ columns to add fields you want included 
in the report: Attack OS, Attack Impact, Attack Target, and more. Change the sort order as 
desired. 


Note: The Notes field is not available for this query. 


Refer to 'Building a Query" on page 302 for detailed instructions on creating queries. 

Customize Selected Case Report 

This topic explains how to customize the basic case report by using the customized query ( 'Customize 
Selected Case Query" on the previous page). For best results, use the Simple Table Portrait for your 
customized report. The template also supports Simple Table Landscape if you want a wider format. If 
you use formats other than Table, your report readers might have usability issues. 

To customize Selected Case Report: 

1. Copy Reports/All Reports/ArcSight System/Core/Selected Case Report into a custom 
report group of your choice and rename it, for example: 

Reports/Shared/All Reports/Public/CW3 Selected Case Report 

2. Go to the copied report’s Data tab: 

a. For the Data Source field, browse to the copied query (C W3 Selected Case Query in our 
example) and select it as the data source for the report. 

The added fields from the modified query should be in the Available Columns table. Scroll 
horizontally to view all available fields. 

b. On the Available Columns, locate the fields you added to the report query. Check the boxes 
corresponding to the added columns. 

Add a Server Property for the New Report URI 

The default URI for case reports is indicated on the Selected Case Report’s Parent Groups field: 

/All Reports/ArcSight System/Core/ 

Your customized case report needs to use a different URI, as explained in the following instructions. 

To enable your case reports to use the new report format: 

Add the full URI, including the customized report name, in server . properties through this statement: 
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case. report. uni=</Vew report URI> 

For example: 

case. report. uri=/All Reports/Personal/CaseWorker3 J s Reports/CW3 Selected Case 
Report 

For instructions on setting server properties, refer to the “Managing and Changing Properties File 
Settings” topic in the ESM Administrator Guide. After you follow the instructions in that guide, this URI 
appears on the customized case report’s Parent Group field. 


Using External Case Management Systems 

HP provides the ability to integrate with external case management systems. You can export ESM 
cases to these external case management systems as XML files. 

HP Service Manager 

If you have the HP Service Manager, you can configure ESM to integrate with it using the Enterprise 
System Connector for HP Service Manager. Then you can use HP Service Manager to provide 
supplemental or alternative ticketing, tracking, and workflow support for security event data. 

The Enterprise System Connector for HP Service Manager transfers data from ESM to HP Service 
Manager. The ArcSM connector can also be configured to update the ArcSight database with HP 
Service Manager status. For more about the ArcSM connector, see the ArcSM documentation. 

BMC Remedy 

If you have the Remedy Action Request System, you can configure ESM to integrate with it using an 
application called ArcRemedyClient. Then you can use Remedy to provide supplemental or alternative 
ticketing, tracking, and workflow support for ESM security event data. 

ArcRemedyClient runs in the background as a service, transferring data from ESM to Remedy. 
ArcRemedyClient can also be configured to update the database with Remedy status. For more about 
the ArcRemedyClient, ask your HP Customer Service representative for ArcSight products. 

To export an ArcSight case to an external system: 

If you have an integration to an external case management system, you can transfer cases from the 
Cases resource tree to the external system as XML by doing the following. 

1 . Choose the Cases resource tree in the Navigator panel. 

2. Right-click a case and choose Export to External System. 

The Case Editor displays a message informing you of a successful transfer. Exported cases also 
display a flagged icon indicating the case has been exported. The output file is stored in the Manager’s 
archives/export/ directory. 
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What are Integration Commands? 623 

Planning Checklist and Workflow 626 

Navigating to Integration Command Resources 627 

Defining Commands 628 

Using Configurations to Group Commands 635 

Specifying Targets 641 

Authorization and Authentication Settings 643 

Running Integration Commands 645 

Entering/Saving Command Parameters at Runtime 646 

Ready-Made ArcSight Threat Response Manager (TRM) Commands 647 

ArcSight Logger Search Commands 655 

Network Tools as Integration Commands 659 

More Integration Examples 661 


Integration commands leverage the power of security and event management, and broaden its view to 
show external, snap-in views from appliances like ArcSight NSP and ArcSight Logger, as well as third- 
party applications. 

HP ships ArcSight ESM with standard content (pre-built commands) and a platform for building your 
own command configurations. 

Contact HP ArcSight Professional Services if you need assistance in authoring tools integrations with 
ArcSight products or other applications. 


What are Integration Commands? 

Integration commands enable you to link from the ArcSight Console to information in other views and 
applications. You can also build and launch commands locally and on remote servers or appliances, 
using field values in events as command parameters. You can configure the commands as context- 
aware, right-click options on different views, resources, and editors on the ArcSight Console. 

Configurations can define valid data types and selections for a set of commands. For example, you 
could configure a set of URL commands to run as a right-click on a selected cell in an active channel 
and accept only IP addresses as data types. 

The ability to integrate commands for various applications means the ArcSight Console can serve as a 
central hub for defining, managing, and launching TRM actions, Logger searches for older versions of 
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ESM, and third party applications, as well as local ArcSight scripts. You can also configure and 
manage role permissions and access lists (AC Ls) for tools and commands in the ArcSight Console. 

Tip: You can use the ArcSight Command Center to run Logger searches. 


Supported Command Types 

You can build these types of context-based, right-click commands into the ArcSight Console: 


Command Type 

Output Results 

Examples 

URL commands link to Web 
page URLs orURIs 

. Web browser 

• Out-of-the-Box 

NSP TRM URL 

commands 



• Out-of-the-Box 
Logger Searches 

Script commands run scripts 

Script/executable output result (for 
example, action) 

Network Tools 

Connector commands are 

derived from associated nodes or 
applications 

Structured result based on the 

SmartConnector and its associated 
node or application 

Refer to your device- 
specific 

SmartConnector guide 


For more information on working with commands, see "Defining Commands" on page 628. 

Tip: All integration commands are designed as manual, right-click options in various contexts 
in the ArcSight Console. This enables you to launch commands in ArcSight Console displays and, 
access available work flows in other applications. 

To define rule-driven commands, configure rule actions to send SmartConnector commands 
(rather than by creating integration commands). 

For more information about using SmartConnector commands in rules, see 'Execute Connector 
Command" on page 524. 


Out-of-the-Box Commands for ArcSight Appliances 

ArcSight ships with pre-built, URL-based commands the following ArcSight appliances. 

• ArcSight NSP , TRM component: A typical command would take an action based on the event. For 
example, you might select a suspicious login attempt in an intrusion monitoring channel or Hot List, 
and investigate or quarantine the associated IP address using TRM. (For information on NSP TRM 
commands, skip to "Ready-Made ArcSight Threat Response Manager (TRM) Commands" on 
page 647.) 
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• ArcSight Logger: A typical command would be to run a remote search or query on an element in a 
selected Logger stored event in an active channel. (For information on Logger commands, skip to 

"ArcSight Logger Search Commands" on page 655.) 


Tip: You can use the ArcSight Command Center to run Logger searches. Refer to the ArcSight 
Command Cenferfor instructions on configuring peers and running distributed searches on 
peers. Refer to the Release Notes fora list of supported Logger versions in distributed 
searches. 


Local Scripts and Commands to Other Applications 

Typical activities for which you might build and run commands in the ArcSight Console that connect to 
other applications and tools include: 

• Launch third-party Web interfaces 

• Launch scripts 

• Run external searches 

• View submitted tickets 

• Get Asset/Vulnerability information 

• Get Payload Information 

You can set up context-aware commands to third-party applications and custom scripts. With 
command configurations, you can make these available in specified ArcSight Console views and use 
particular fields as parameters to your commands. 

ArcSight ships with standard utilities configured to be available in ArcSight Console views. For 
example, the ping command is available in grid views such as active channels, lists, and query 
viewers, and takes as a parameter the IP address or host name in the selected event. 

For information on integrating basic network tools such as Ping, Nslookup, or ArcSight specific Send 
Logs, see "Using the Network Tools" on page 53 and "Network Tools as Integration Commands" on 
page 659. 


How It Works 

Integration commands provide resources for tools integration authors to: 

• Build context-sensitive commands that you can run locally or on multiple, remote target servers, 
and you can mix, match, and re-use with configurations. 
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• Associate parameters with commands to read the resources for which you call the commands. 
Command parameters make use of Velocity Expressions to pick up values from fields and 
resources. (See "Velocity Templates" on page 1093.) 

• Define configurations sets of commands) for various external applications to specify relevant 
contexts, commands, rendering formats, and, optionally, remote targets. 

Once integration commands and configurations are in place, analysts and operators working with the 
ArcSight Console can use your custom-built commands or ArcSight pre-built commands (for Logger or 
NSP TRM) to manage and monitor networks and assets with an extended reach into other views, 
toolkits, and servers. 

Configure Login credentials for authentication on external applications through integration parameters 
on the user resource. See "Setting User Login Parameters" on page 643 and "Setting Logins and Other 
Parameters to Prompt for Values at Runtime" on page 644.) 


Planning Checklist and Workflow 


Plan your command integrations by identifying the utilities or applications to integrate and collecting the 
necessary information. Here is a checklist of considerations. 


Components Questions 

Commands 

• What commands will you run on the external application? Is there a subset of 
commands you want to integrate into the ArcSight Console? 

• What is the command type (Web URL, local executable script, or Connector 
command) and syntax. 

Servers, 

Authentication 

SmartConnectors 

Integrating Logger or NSP URL commands requires an IP address or Host name 
of the appliance and authentication credentials for users. 

Configurations 

• How do you want to render (display) output results of commands? 

This largely depends on the command type; for example, URL commands 
are rendered in an external or embedded browser. 

. How many integration configurations do you need? 

. Does the application you are integrating have more than one type of 
interface? (for example, Web and CLI, like TRM) If so, you’ll need a 
configuration for each interface and associated command type. 
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Components 

Questions 

Users 

• Which users work with these integration tools or applications? 


• Are authentication parameters required on target servers, appliances, or 
applications? If so, collect or establish user names and passwords for users 
who run these commands. 


. Plan for configuring integration parameters on user accounts for users who 
work with the external applications. These users need login credentials for 
both ArcSight and the target applications. 


. For users with the same authentication parameters for a target server, you 
can create a target resource with those parameters instead of duplicating the 
parameters in each user account. Then you can configure the ACL of that 
target resource so that only those users have access to it. When a command 
is triggered in the right context, only the target to which that user has access 
is displayed. Use a similar ACL approach for commands. For example, a 
single configuration can contain groups of commands, where some 
commands require special privileges. 


Once you have a plan, you might try configuring the commands and testing in this order: 

1 . Add the commands (command name, type, the command itself, and its parameters). 

2. Specify the targets (remote servers where commands run), if any. 

3. Create one or more configurations, add in the commands you created, choose how command 
results are rendered (displayed), and define ArcSight Console U I contexts where these 
commands are available for use. 

4. Add Integration Parameters to User Accounts. If authentication is required on target servers, 
configure login credentials on user accounts for users who run these commands. These users 
need login credentials for both ArcSight and on the target applications. 

5. Test the commands. See "Running Integration Commands" on page 645 


Navigating to Integration Command Resources 

To create or edit integration commands and configurations, start by navigating to Integration 
Commands resources. Following is an example of the resource with custom integration commands: 
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Navigator 


D 1 ? X 

Resources 

Packages Use Cases 

Q Integration Commands 

Ctrl+Alt+O ▼ 

Commands 

Targets | Configurations 





Integration Commands 


- IB admin's Integration Commands 
(Z) Google Search 
|_| Quarantine by MAC 
; bp Tools 

: [>T| Nslookup 
h 0 Ping 
hQ Portinfo 
: Q Traceroute 
\- (0) Web Search 
1 (0) Whois 
0 B Shared 

Bp All Integration Commands 
[jQ ArcSight Administration 
+ B ArcSight Foundation 


Users can access existing integration commands and configurations through right-click commands on 
the ArcSight Console in various contexts. The contexts depend on how the commands are configured. 


Defining Commands 

Use the commands feature to configure URL, Script, and Connector commands for custom and third 
party applications and other ArcSight products. Setting up commands is the first step in a multi-part 
process to providing a set of integration commands. (Other tasks include setting up configurations, 
targets, and user login parameters). This topic explains how to add and edit the command portion of an 
integration command solution. 

To add a new command: 

1. In the Navigator panel, select the Integration Commands resource from the drop-down menu 
and click the Commands tab. 

2. Right-click a group (folder) in which to create the command, and select New Command. This 
launches the Command Editor in the Inspect/Edit panel. It is best to create new content in your 
own folder. 

3. On the Command Editor, select the command Type and fill in the fields for command Name and 
other attributes. 
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Command 

Type 

Description 

Script 

Executable script that runs locally to the ArcSight Console where the 
command is launched. 

URL 

Web URL for which you can define parameters. 

Connector 

Commands for ArcSight SmartConnectors. 


4. Click Apply or OK to add the new command. 


Command Types and Attributes 

The command attributes vary, depending on the type (Script, URL, or Connector), as described below. 

Script Commands 

Like other commands, you can make script commands available to multiple users and user groups. 
Users probably run the ArcSight Console on many different machines. Integration script commands 
always run on the same machine as the ArcSight Console used to launch them. Therefore, the working 
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directory and program path names should reflect where commands are found in ArcSight Console 
users’ environments 


Attribute Description 

Name 

User-friendly Name for the command. 

Working 

Directory 

Directory containing the executable script. 

For example, $systemRoot\system32\ 

You can type the directory path in the Program field, or click the Browse Directory 

button to get a file browser. Use the file browser to navigate to and select the 

command. 

Note: Be sure this path reflects the location of the script on machines used by 

ArcSight Console users for whom you are building these commands. 

Program 

Full path to the executable command. 

For example, $systemRoot\system32\ping . exe 

You can type the full path to the command in the Program field, or click the Browse 
Directory button ••• to get a file browser. Use the file browser to navigate to and 
select the command. 

Note: Be sure this path reflects the location of the script on machines used by 

Console users for whom you are building these commands. 

Parameters 

Provide parameters for the command. (See "Adding and Editing Command 

Parameters" on page 633.) 

The Attributes list provides Velocity Expressions for all event fields and an option to 
add $seLectedItem as an attribute. 


Tip: Entering data in the Common and Assign sections is optional, depending on how your 
environment is configured. For information about the Common and Assign attributes sections, as 
well as the read-only attribute fields in Parent Groups and Creation Information, see Common 
Resource Attribute Fields" on page 685. 


URL Commands 


Attribute 

Description 

Name 

User-friendly name for the command. 
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Attribute 

Description 

URL 

The URL for the command, along with any parameters provided as arguments to the 

URL. 

Click the browse button ■' to get the Parameters dialog. (See Adding and Editing 
Command Parameters" on page 633 for information on how to add the URL along with 
parameters or arguments to the URL.) You can copy/paste URLs onto the Parameters 
dialog scratch pad or type them directly. The Attributes link provides Velocity 

Expressions you can add as parameters (attributes) to the URL. 

. Type or paste URL directly in the Parameters dialog scratch pad. 

. Click Attributes to add a Velocity Expression as a URL parameter. 

Determine the URL by first accessing it from a Web browser address bar. This also 
shows you where in the URL to add the parameters (if any). 

Example: Web Search 

To set up a Google Search on a parameter, do a Google Search in a Web browser. 

Extract the first part of the URL (everything to the left ofthe search term) from the 

Address bar, and paste it into the Parameters dialog scratch pad: 
http : //www. google . com/search?q= 

Click Attributes on the Parameters dialog to get a list of Velocity Expressions. Select 
the option, Selections > $selectedltem. The expression is added as a parameter to the 
search: http : //www. google . com/ search ?q=$selectedltem 

Click OK to close the Parameters dialog and save your changes. Click Apply or OK on 
the Command Editor when you are satisfied with all settings.) 

When this search command is deployed as part of an integration configuration, and run 
via a right-click command in the context of the ArcSight Console, it searches the text in 
the cell (Viewer table cell) the user selects in the ArcSight Console. 


Tip: Entering data in the Common and Assign sections is optional, depending on how your 
environment is configured. For information about the Common and Assign attributes sections, as 
well as the read-only attribute fields in Parent Groups and Creation Information, see Common 
Resource Attribute Fields" on page 685. 

Connector Commands 

Tip: Prerequisites for Connector Commands 

If you plan to build and use Connector commands you need: 
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. Access to relevant servers where the SmartConnectors are installed. 

. One or more of the associated SmartConnectors deployed and registered with the Manager to 
which your ArcSight Console is connected. 

Test connectivity and authentication between your local machine, SmartConnectors, and 
appliances before setting up Connector integration commands. 


Attribute 

Description 

Name 

User-friendly Name for the command. 

Group 

Choose a group from the Group drop-down menu. Depending on which Group you 
select, relevant commands are provided in the next field (Command). 

See "Set Event Field" on page 522 in "Rule Actions Reference" on page 520. 

Command 

Choose a command from the drop-down menu. Depending on which Group you 
selected, relevant commands are provided here. Choose a Connector command from 
the drop-down list. 

Note: In order to get the list of Connector commands, you need to have the 
SmartConnector deployed and registered with the Manager to which your ArcSight 
Console is connected. 

Parameters 

To define parameters for the command: 

1. Click the browse button ■" to get the Parameters dialog. 

A table of name-value pairs is provided that represents the valid parameters for 
the given command. 

2 . Select the parameters to use, and define values for them with either hard-coded 
values or Velocity Expressions. 

For example, you could define the Connector command Quarantine Node By IP 
Address to use three parameters; IP Address, Quarantine Period, and Overwrite 
Active Quarantine (a yes/no value set to 0 or 1 , respectively). 

You could set the IP address to a Velocity Expression for attacker address, 
Quarantine Period could be set to 1 hour, and overwrite set to Yes. 

The Attributes list provides Velocity Expressions for all event fields along with 
options to add Console selections, dates, and channel start and end times as 
attributes. 

3 . Click OK on the Parameters dialog to save your changes. 
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Tip: Entering data in the Common and Assign sections is optional, depending on how your 
environment is configured. For information about the Common and Assign attributes sections, as 
well as the read-only attribute fields in Parent Groups and Creation Information, see Common 
Resource Attribute Fields" on page 685. 


Adding and Editing Command Parameters 

The Attributes list includes Velocity Expressions for all event fields and an option to add user field or 
item selections, channel start or end time, date/time, and other Velocity Expressions as attributes. 

To provide parameters for a command: 

1. Click the browse button ' • to get the Parameters dialog. 

2. Click Attributes to get a list of variables and Velocity Expressions. 


B Parameters 




Attributes | 


Selections ► 




Date ► 




B Root ► 




[S] Category ► 




% Threat ► 

Asset Criticality 


Agent ► 

Model Confidence 


yQ Device ► 

% Priority K | 


^ Source ► 

^ Relevance 


Destination ^ 

^ Severity 


2 Attacker ► 




El Target ► 

[ OK j ( Cancel j 

L= File ► 

^ Old File ► 




-i£) Request ► 

/^Slide-out menus give you access 

{j, Device Custom ► 


to velocity expressions, fields. 

Plov k 


and variables you can use as 

yj*, riex f 


, parameter values in commands 

Original Agent ► 



yQ Final Device ► 




J[ Event Annotation ► 




] Global Variables... 





3. Select the expression you want to add. The attribute list includes Global Variables. If the global 
variable to add is composed of a list of fields, expand the global variable displayed in the 
Parameters dialog and select the field you want. 

The expression is added to the Edit Attributes scratch pad as a parameter. 
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4. You can continue adding expressions, which are chained together. 

For example, selecting Threat > Priority from the Attributes list results in this parameter being 
placed on the scratch pad: 

${priority} 

Subsequently selecting Attacker > Address, updates the scratch pad entry with chained-together 
expression: 

${priority} ${attackerAddress} 

Tip: The Parameters dialog is an editable scratch pad. In addition to adding Velocity 
Expressions from the Attributes menu and Templates for Connector command parameters, 
you can type new expressions directly into the dialog. Also, you can select and edit existing 
expressions manually. (See also "Removing a Command Parameter" on the next page 


5. When the Parameters scratch pad reflects the expressions you want to include as command 
parameters, click OK. 

The parameters you added are reflected on the Attributes tab in the Command Editor. 


Parameters 


^priority} 


Be sure to click Apply or OK on the Command Editor to save changes to command parameters 
along with any other changes to the command that you want to retain. 
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Removing a Command Parameter 

To remove a command parameter: 

1. Click the browse button 1 to get the Parameters dialog. 

2. Select the parameter in the scratch pad and hit the Delete key on your keyboard. 

3. To add a new parameter to replace the one you are deleting, do so by following steps described in 

"Adding and Editing Command Parameters" on page 633. 

4. Click OK on the Parameters dialog. 

5. Click Apply or OK on the Command Editor to save your changes. 


Using Configurations to Group Commands 

An integration configuration resource represents a family of commands of the same type. Commands 
in a configuration share the same context, rendering method, and targets. 

Configurations provide a way of grouping similar commands and specifying common options for where 
on the ArcSight Console Ul the commands are available ( contexts ) and where commands run (scripts 
run locally; others, like Connector commands, can have one or more remote targets). This is partly a 
matter of preference (about how you want to group, organize, and present commands to ArcSight 
Console users), and partly a matter of which commands belong together. 

Note: Configurations can include only commands of the same type (script, URL, or 
Connector). Commands that share a configuration use the same Tenderer, contexts, and (if 
relevant) targets. You might want to make finer-grained groupings; for example, sub-groups of 
scripts or Connector commands. 

Setting up configurations is a step in a multi-part process of making a set of integration commands 
available to ArcSight Console users. (Other tasks include setting up commands, targets, and user login 
parameters). 

This topic explains how to add and edit the configuration portion of an integration command solution. 

For an overview of the integration commands feature, see Integration Commands " on page 623. For 
more details on the relationship between commands, configurations, and targets, see 'How It Works" 
on page 625. 

To create a configuration: 

1. In the Navigator panel, select the Integration Commands resource from the drop-down menu 
and click the Configurations tab. 
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2. Right-click a group (folder) where you want to create the configuration, and select New 
Configuration. This launches the Configurations Editor in the Inspect/Edit panel. 

3. Fill in the fields on Attributes, Context, Commands, and Targets tabs as described in: 

■ "Configurations Attributes " below 

■ "Configurations Contexts" on the next page 

■ "Configurations Commands" on page 639 

■ "Configuration Targets" on page 640 (when commands run on remote targets) 

4. Click Apply or OK to add the new configuration. 


Tip: You can use the above procedures to create integration configurations from within a context. 
To do this, right-click anywhere in the Ul, and choose Integration Commands > New 
Configuration. Then perform the above steps. 


Configurations Attributes 

Define the configuration name and other basic details for the configuration on the Configurations 

Attributes tab. 


Configuration Attributes 

Attribute Description 

Type 

Choose the type of configuration from the drop-down menu: 

. Script 

. URL 

• Connector 

Note: The configuration type must match the command types in the configuration. (See 
"Command Type" on page 629.) Once the configuration is saved, the type is not editable. 
This setting influences choices on other options for the configuration, such as the "Type" 
above. 

Name 

A user-friendly, informative name for the configuration that (preferably, one that indicates 
the commands contained in it). 
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Configuration Attributes 


Attribute Description 


Allow Use this to allow selecting multiple events on which to run a command. It is off by 
Multi default. A check mark indicates it is on/enabled. 

Select 


When on, users can select multiple events and the commands assign the values to a 
parameter as a comma-separated list. 


For example, suppose you have a command with the parameter ip =$targetAddress. 


• With Multi Select disabled, the command accepts only a single IP address based on 
a selected event (for example, ip=192. 0.2.0). 


. With Multi Select enabled, a user can also get "ip=192.0.2.1,192.0.2.2" if two rows 
are selected. 


In order for this to work: (1) the ArcSight Console context (for example, active channel) 
must allow multi-row selection, and (2) the integration target must support a comma- 
separated list of values for the given command and parameter. 

Note: Multi Select does not affect how individual fields in an event are processed. Event 
field processing is determined entirely by the definition of command parameters. For 
example, a command with an Attacker Address parameter always gets that value from 
the selected event. 


Tip: Entering data in the Common and Assign sections is optional, depending on how your 
environment is configured. For information about the Common and Assign attributes sections, as 
well as the read-only attribute fields in Parent Groups and Creation Information, see Common 
Resource Attribute Fields" on page 685. 


Configurations Contexts 

As a part of constructing command configurations, you can configure contexts for where in the 
ArcSight Console certain commands are available. At the same time, you can define parameters for 
picking up and passing the value in any selected cell, row, or event field. 

For example, you could configure a URL command for a Google search as a right-click command on 
any cell in an ArcSight Console grid view. By using a parameter as the argument to the search 
command, you could pick up the text from the selected cell or value from any selected field to use as 
your search term. (In the Commands editor, all fields, provided as a list of Velocity Expressions, are 
available for use as command parameters.) 

Once configured, integration commands are available on right-click context menus from a variety of 
contexts including: 


HP ESM (6.9.1c) 


Page 637 of 1106 



ArcSight Console User's Guide 
Chapter 23: Integration Commands 


• Relevant fields in active channels (for example, IP address, host name, MAC address) 

• Relevant resources (for example, assets) 

• Active Lists, sessions lists, query viewers and channels 

Also, you can configure user login parameters on ArcSight Console users (via a new Integration 
Parameters tab in the Users resource editor), thereby binding user login information to commands for 
third-party or ArcSight applications that require secure logins. (See "Setting User Login Parameters" on 
page 643 for more information.) 

You can configure a command to prompt for parameter information, which is often useful for login 
scenarios and as well as others. (See "Setting Logins and Other Parameters to Prompt for Values at 
Runtime" on page 644 for more information.) 

To set up command contexts: 

Use controls on the Configurations Context tab to add, edit, or remove contexts in a configuration. 


[ Q Configurations 

Attributes | Context [ Commands | Targets | Notes 


c[}j Add X Remove 


Location 

Type 

Selection 

Data Type 

Editor 

All Editors 

All Selections 

All Data Types 

Viewer 

All Views 

All Selections 

All Data Types 


Click the fields under Location, Type, Select, and Data Type to get drop-down menus with which to 
select contexts in the ArcSight Console Ul where the command is available and to which selections it 
applies. 


Command Context Attributes 

Attribute Description 

Location 

View where in the ArcSight Console the command is available. For example: 

• Viewer, for the Viewer panel where "Views" on page 1101 of active channels, 
dashboards, and so on are shown 

• Resource, for the Navigator Panel resource tree 

• Editor, for resource editors 

Type 

Contexts in the ArcSight Console panels where the command is available. Available 
types vary depending on the location you choose. 

For example, if you choose Viewer for the location, you can specify types of “views” 
where you want the command to display, such as Grid View, Chart View, various List 
entries, Dashboards, Query Viewers, and soon. 
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Command Context Attributes 

Attribute Description 

Selection 

User selection or subset of it that is fed into the command. Options can include All 
Selections, Selected Cell, Selected Row, Selected Attribute. 

Data 

Type 

Data type for the parameters fed into the command (derived from the Selection). Options 
include: 

• All Data Types 

• IP Address 

• MAC Address 

• Date 

• Double 

• Integer 

• Long 

• Resource 

• String 


Configurations Commands 

Use controls on the Configurations Commands tab to add, edit, or remove commands in a 
configuration. 


fT| Configurations 

f Attributes |' Context 

f Commands f Targets f Notes | 

Q Add... ■ Edit > 

Remove @ Refresh 

Integration Commands 

* 

/All Integration Commands/Personal/admin's Integration Commands/URL Command/Google Search | 


Adding a Command to a Configuration 

On the Configurations Commands tab: 

1 . Click Add to bring up the Commands Selector dialog. 

2. Navigate to and click (checkmark) the commands you want to add, and click OK. 

The commands are added to the list. (You can add multiple commands to a single configuration.) 
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Editing Commands in a Configuration 

On the Configurations Commands tab: 

Select the command you want to edit and click Edit. 

This provides a shortcut into the Command Editor for the selected command. See Defining 
Commands" on page 628 and "Command Types and Attributes" on page 629 for information on editing 
the command. 

Removing Commands from a Configuration 

On the Configurations Commands tab, select a command in the list and click Remove. 


Configuration Targets 

Targets are not required for all command types, only for those that run on remote servers. Before you 
can add a target to a Configuration (explained here), you first need to define it as described in 

"Specifying Targets" on the next page. 

Use controls on the Configurations Targets tab to add, edit, or remove targets in a configuration. 

Note: If you plan to add remote targets to a configuration, you need host information for the 
remote servers and login credentials if authentication is required. 


Adding a Target to a Configuration 

Targets are applicable to any commands that you want to send to a remote server. 

j (T) Configurations | 

| Attributes | Context [ Commands Targets | Notes [ 

cQaAdd... Edit Remove ^Refresh 

Connectors ’ 

/All Connectors/1 70.0.1 23.45/TRM 1 01 .285 

/All Connectors/ 1 30.0.321 ,78/TRM 1 1 0.405 


• Click Add to bring up the Connectors Selector dialog. 

• Navigate to and click (check mark) the target you want to add, and click OK. 

Editing Targets in a Configuration 

• Select the target you want to edit and click Edit. 

• This provides a shortcut into the SmartConnector Configuration Editor for the selected connector 
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or target. (See "Configuring the SmartConnector" on page 140, and also the SmartConnector User’s 
Guide.) 

Removing Commands from a Configuration 

On the Configurations Contexts tab, select a target in the list and click Remove. 


Specifying Targets 

Optionally, you can specify targets (remote servers where one or more commands run). 

If you have multiple remote servers, you might want to configure multiple targets on which to run a 
single command with the same or different parameters. 

For example, you can configure any of the following as command targets. 

• Applications with Web interfaces/clients like ArcSightLogger appliances 

■ Search providers (for example, Google, Yahoo, ask.com) 

■ IT/Security portals 

■ Asset/Vulnerability information 

■ Ticketing Web servers 

• Connectors 

Setting up targets is a step in a multi-part process of making a set of integration commands available to 
ArcSight Console users. (Other tasks include setting up commands, configurations, and user login 
parameters). 

This topic explains how to add and edit the configuration portion of an integration command solution. 
For an overview of the integration commands feature, see Integration Commands " on page 623. 

To add a new target, do the following: 

1. In the Navigator panel, select the Integration Commands resource from the drop-down menu 
and click the Targets tab. 

2. Right-click a group (folder) where you want to create the target, and select New Target. This 
launches the Command Editor in the Inspect/Edit panel. 

3. Fill in the fields as described below. 

4. Click Apply or OK to add the new target. 
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Target Attributes 

The only target attribute you need to provide is a user-friendly name for the server. 


Attribute 

Description 

Name 

Name for the remote server or appliance where the command run. 


Target Integration Parameters 

Targets are used only for URL configurations, where you parameterize the Web host target of the URL, 
and sometimes login credentials. Type directly into the fields to define a parameter, as described 
below. 

m Target:TRM Appliance 2 

| Attributes | Integration Parameters [ Notes 


rQa Add )( Remove 


Parameter 

Type 

Value 

NSPHostIP 

Text 

XXX. XX. XX. X 


Field Description 

Parameter 

Parameter name, as specified in the command definition related to this target. 

Type 

Parameter type. Choose Text or Password from the drop-down menu. Password type 

parameters are automatically encrypted. 

Notes: 

• Always set login credentials (passwords or authentication tokens) to type 
“Password” (not “Text”). (Credentials set to “Text” are not masked on the Ul and are 
sent as cleartext if the Tenderer is an external browser.) 

• You can set passwords and authentication credentials on target servers too, but we 
recommend against it in most cases. Doing so risks opening up a target server to 
any user who has access to the integration commands (not necessarily an account 
on the target server). Additionally, it does not give you any tracking information 
based on user logins to the server. 

Value 

Hard-coded value, variable, or Velocity Expression for the parameter. 

For example: 

• A host name or IP address as a value for a target server parameter 


To add a new parameter, click Add. This gives you a new row in which to enter Parameter, Type, and 
Value information. You can add multiple parameters to a target. 
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Tip: Entering data in the Common and Assign sections is optional, depending on how your 
environment is configured. For information about the Common and Assign attributes sections, as 
well as the read-only attribute fields in Parent Groups and Creation Information, see Common 
Resource Attribute Fields" on page 685. 


Authorization and Authentication Settings 

Authentication: You can specify user login behavior for commands designed to run on secure, remote 
target servers. You can specify login credentials to be used as part of the command, or set parameters 
that prompt users to enter their user name and password when they run the command. 

Authorization: You can set up fine-grained access control lists (ACLs) to specify which ArcSight 
Console users have permissions to view, run or edit different commands. 


Setting User Login Parameters 

You can specify login credentials on user accounts or on remote target servers. It is best to set login 
credentials on user accounts, but both options are described below. (Login credentials are not required 
for Connector integration commands because the authentication is handled as part of the 
SmartConnector setup.) 

Setting Login Credentials 

For URL commands on remote targets and script commands that run locally, you can define login 
credentials as a part of user configurations. (Choose Navigator > Users, select and edit a user or 
create a new one, then click the Integration Parameters tab on the User Editor.) 


You can set login credentials for multiple targets on a 
user account since a single user might have access to 
multiple systems. This is the recommended approach 
(instead of setting login information on the targets). 

I |XI UsenDarren | 


| Attributes } Integration Parameters [ Notes | 


Add X Remove 

Parameter 

Type 

Value 

Targets ° 

LoggerUser 

Text 

Darren 

Logger Appliance 1 

jLoggerPassword 

Password 


Logger Appliance 1 

[NSPAuth 

Password 


TRM Appliance 1 


Defining login information as part of user accounts gives you the flexibility to configure multiple users, 
each with different logins. In this case, login credentials are not tied to the command target, but rather 
associated with individual users. 

A single user account can have login credentials for different servers and scripts. . 

Tip: For security best practices, we recommend that you: 
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. Always set login credentials (passwords or authentication tokens) to type “Password” (not 
“Text”). Credentials set to “Text” are not masked on the Ul and are sent as cleartext on the 
Web browser. 

• Save authentication information only as parameters on user accounts, not on target servers. 

This strategy binds authentication details to specific users, and gives you tracking information 
based on user logins (for example, you can tell which users ran which commands and when). 

Examples of authentication information are user name and password combinations, and 
authentication tokens sent in URLs such as in NSP TRM. 

Setting Login Credentials on Target Servers 

Although not generally recommended, login credentials for URL commands on remote targets also can 
be defined as part of the Target definition, as described in "Specifying Targets" on page 641. (Choose 
Navigator > Integration Commands > Targets tab, select and edit a target or create a new one, then 
click the Integration Parameters tab on the Targets Editor.) 

(c*J| Target:TRM Appliance 2 | 

| Attributes j Integration Parameters | Notes 


Add X Remove 


Parameter 

Type 

Value 

NSPHostIP 

Text 

XXX. XX. XX. X 


If login information is defined here, everyone who uses the command uses the same credentials to log 
in to the remote target server. 

Caution: Here are best practices to secure your authentication information. 

• Do not save authentication information as parameters on target servers. It runs the risk of 
opening up a remote server to any user who has access to the integration commands. 
Additionally, it does not give you any tracking information based on user logins to the server. 

. Always set login credentials (passwords or authentication tokens) to type “Password” (not 
“Text”). (Credentials set to “Text” are not masked on the Ul and are sent as cleartext if the 
Tenderer is an external browser.) 


Setting Logins and Other Parameters to Prompt for 
Values at Runtime 

You can set parameters for which you would like to prompt users to specify values at runtime, such as 
username and password, host names, IP addresses, and other options. 

When an integration command runs (that is, when a user selects an integration command in some 
context on the ArcSight Console), the command first looks for any required parameter values in a 
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variety of sources, including in the command statement itself, in the defined context, on the user 
account, on the target (if there is one), and so forth. If it doesn’t find parameter values in any of these 
places, the system prompts the user to type in the values. 

You can include login and other parameters as flags on a script command that runs against a server, as 
shown here for the archive command which runs on a Manager. When this command is run, it prompts 
the user for a Manager host name and administrator password. (It does not prompt for the username, 
admin, since this is already provided in the command statement.) 

archive -action import -m $hostmgr -u admin -p $passwd -f abc.arb 

Referto "Entering/Saving Command Parameters at Runtime" on the next page (in "Running Integration 
Commands" below), for an example of the run-time prompts users see when they run this command. 


Running Integration Commands 

After commands are configured, they are available in various contexts in the ArcSight Console. 


For example, suppose you have a configuration for a set of commands with the contexts set as follows: 


Location 

Type 

Selection 

Data Type 

Viewer 

All Views 

All Selections 

IP Address 


This means that the given commands are available on right-click context menus on any view (for 
example, active channels, list views, chart views, dashboards, and so on). The user can select any 
row, cell, or area on a chart. In this context, only IP addresses can be provided as valid parameters to 
the command. 

If one of the commands in this configuration was an NSP TRM Quarantine Node command (a type of 
TRM Connector command), then to use the command you would do the following: 

1. Bring up an active channel, session list, active list, dashboard, or other resource in the viewer that 
shows, for example, a suspicious device, machine, or user that you want to quarantine. 

2. Find the row on the Viewer display that contains the suspicious entity, and select a cell in that row 
that contains the source IP address (for example, Attacker Address). 

3. Right-click over the cell with the source IP address (for example, Attacker Address), and choose 

Integration Commands > Quarantine Node. 

This launches the selected command, using the IP address for the selected cell as the parameter 
for the command. 

In general, a right-click any context in the ArcSight Console Ul forwhich integration commands have 
been configured show all integration configurations. 
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Entering/Saving Command Parameters at 
Runtime 

Commands can be configured to prompt for parameter values at runtime (as described in "Setting 
Logins and Other Parameters to Prompt for Values at Runtime" on page 644). Also, if ready-made 
commands (such as for Logger) are not pre-configured, you are prompted for values. For example, 
parameters might ask fora particular host name as command input, an IP address against which to run 
a command, or login credentials to a target server. 



If you launch a command that prompts for input, enter the appropriate text in the ‘Value” field for each 
required parameter. 

If you have appropriate permissions, you have the option to save parameter values with the target or 
with your user account so that you don’t have to re-type them each time you run the command. 

Tip: Security Best Practice Recommendations: 

• In order to save parameter values at runtime, you need to belong to a group with read and write 
permissions to the associated targets. 

• Always set login credentials (passwords or authentication tokens) to type “Password” (not 
“Text”). Credentials set to “Text” are not masked on the Ul and are sent as cleartext if the 
Tenderer is an external browser. 

. Always save login credentials to user (Save to User), not to the target server. This strategy 
binds authentication details to specific users. This better safeguards access to the remote 
server to appropriate users. Also, you have tracking information based on logins as to which 
users entered which commands. 

If you save authentication details as parameters on a target, you run the risk of opening up a 
remote server to any user who has access to the integration commands (but not necessarily an 
account on the target server). And you have no per-user tracking information. 
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Ready-Made ArcSight Threat Response 
Manager (TRM) Commands 

ArcSight TRM commands are integrated into the ArcSight Console and provided as standard content. 
These commands run on ArcSight Network Synergy Platform (NSP) appliances, in which TRM is one 
of the application components. 


Prerequisites 

Before you can run TRM commands from the Console, make sure you are properly set up with one or 
more NSP appliances. Refer to the ArcSight NSP Installation and Administration Guide, the chapter on 
Integrating NSP with ArcSight ESM, for the detailed descriptions and steps, including information on 
TRM commands. 


Options for Up-Front or On-the-Fly Configuration 

Configuring these integrated TRM commands involves specifying the target NSP appliances and 
saving TRM authentication tokens on users who need TRM command access. 

You can use either of these approaches for setting up the TRM integrated commands: 

• Configure target and authentication details before the commands are run (for example, a single 
administrator specifies TRM targets, users, and command parameter values). For this workflow, 

see Enabling TRM Commands" on page 649. 

• Let users configure commands at command runtime (for example, a user launches a command 
based on an active channel selection and fills in the target appliance IP address, authentication 
token, and parameter values on-the-fly). For this strategy, users can refer to "TRM Integration 
Commands" below and "Understanding NSP Authentication" on page 651. 

If the command details aren’t pre-configured, users are prompted to enter the right values when they 
run the commands. Running one of the commands should set up the target for most commands. 
Some commands might require further setup that can be done again on-the-fly. Information on how 
to run integration commands, see "Running Integration Commands" on page 645. (This topic 
includes information about running commands and entering/saving parameter values at command 
runtime.) 


TRM Integration Commands 

The following integration commands are supported in ArcSight NSP v5.0 and newer versions. These 
are defined in /All Integration Commands/ArcSight Administration/TRM. For all, you need to 
provide values for the given parameters. At a minimum, these include NSPAuth (user authentication 
token) and NSPHostIP (target NSP appliance). 
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The commands execute based on which events you selects in the ArcSight Console to launch the 
command. This is accomplished with Velocity Expressions, which are built into the commands to get 
values for some parameters, such as $selectedltem, $selectedField, $attacker Address, 
$targetAddress, and so on. For example, “Quarantine Node” would quarantine the node in the selected 
event. 

TRM Commands 


TRM 

Commands 

Description 

Auth Queue 

Shows the Authorization queue so you can allow or deny any TRM actions listed in 
the queue (such as Block IP Traffic or Disable Enterprise Account). 

Auth Report 

Generates reports for quarantines located in the authorization queue. 

Block IP 
Range 

Blocks an IP address range on Layer 3 devices on your network so that traffic from 
nodes with those IP addresses is not permitted. 

Block IP 

T raffic 

Blocks any IP traffic coming from a node on the network to the destination port 
specified in the event. 

Disable 

Enterprise 

Account 

Disables a user account so that the user cannot log on to your network. 

The user account needs to belong to the default Enterprise Account Source 
configured on the NSP appliance. 

Investigate 

Node 

Initiates the “investigate” process so you can obtain information about a node’s 
connectivity to the network, such as its IP address, DNS name, MAC address, and 
location type (whether the node is on an internal or an external interface in the network 
topology). You can also see which Layer 3 network device is closest to the node and 
the Layer 2 network device to which the node connects. 

You can use this information in a Case. 

Network 

Devices 

Lists all the network devices that NSP is managing, such as routers and switches. 

Attacker- 
Target Maps 

Displays a map showing network connections for an Attacker-Target scenario (based 
on the nodes in the event selected in the ArcSight Console). 

Note: The map shows Layer 3 logical connectivity (possible routes) not physical 
connectivity (wires that connect devices). So, the map might not depict the physical 
topology of the network. 

Quarantine 

Node 

Quarantines a node when you discover a problem that has the potential to spread to 
other nodes in your network. You can select from these Quarantine actions: Disable 
Port, Filter MAC, and Move to VLAN. 

Response 

Log- 

Blocked IP 
Range 

Lists all Block IP Range actions taken by TRM and provides details about each one, 
such as who performed the action, when the action was taken, and the devices on 
which the action was taken. 
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TRM Commands, continued 


TRM 

Commands Description 

Response 

Log- 

Blocked IP 

T raffic 

Lists all the Block IP Traffic actions taken by TRM and provides details about each 
one, such as who performed the action, the date and time the action was performed, 
and the devices on which the action was taken. 

Response 

Log- 

Disabled 

Account 

Lists the Disable Enterprise Account actions taken by TRM and provides details 
about each one, such as who disabled the account, the date and time the account 
was disabled, and the status of the disabled account. 

Response 

Log- 

Quarantined 

Nodes 

Lists the Quarantine Node actions taken by TRM and provides details about each 
one, such as the IP address of the quarantined node, the date and time the node was 
quarantined, and the status of the quarantine (active or removed). 

Response 

Report 

Generates a response history report that contains a text and graphical representation 
of the actions performed on the NSP appliance. 


Enabling TRM Commands 

To enable pre-configured TRM commands from the ArcSight Console, follow these steps. 

Step 1 - Set up the Command Targets 

1. In the Navigator, click the Resources tab, and then navigate to Integration Commands > 
Targets. 

2. Create an integration target for your NSP appliance, or edit one of the existing entries. 

We recommend that you start by editing the target already provided for you in /All Integration 
Targets/ArcSight Administration/TRM/: 

TRM Appliance 1 

3. In the Target editor on the Integration Parameters tab, add at a minimum, the following 
parameters. 


Parameter 

NSPHostIP 

Type 

Text 

Value 

<IP address or Host Name of the NSP Appliance> 
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you are prompted for other parameters needed when you run the commands. If you want to set up 
more parameters and values now, you can do so. (See "TRM Integration Commands" on 
page 647.) 


Tip: Best Practice Recommendation: We recommend saving only the target host 
information (for example, IP address) on the target server, not the authentication credentials. 
If you save authentication details as parameters on a target, you run the risk of opening up a 
remote server to any user with access to integration commands (but not necessarily an NSP 
TRM account). And you have no per-user tracking information, like you do if you save this 
information to user accounts. 


4. If you have more than one NSP Appliance, create an additional integration target for each 
appliance you want to integrate into the command hub. 

5. Click Apply or OK to save your changes to the target. 

(For general information about command targets, see 'Specifying Targets" on page 641 .) 

Step 2 - Set up the Command Configuration 

1. In the Navigator, click the Resources tab, and then navigate to Integration Commands > 
Configurations. 

You can find the pre-built TRM command configuration in /All Integration 
Configurations/ArcSight Administration/TRM/TRM Commands. 

This configuration includes all the standard content TRM commands. 

2. Edit the TRM Commands integration configuration: 

■ In the Configuration editor, click the Targets tab, and then add the integration targets you 
created in the previous steps (for example, if you used the provided target, choose TRM 

Appliance 1). 

3 . Click Apply or OK to save your changes to the configuration. 

(For general information about command configurations, see 'Using Configurations to Group 
Commands" on page 635.) 

Step 3 - Set up Users for TRM Access 

1. In the Navigator, click the Resources tab, and then navigate to Users. 

2. Edit the users that have access to the NSP appliance. In most cases, these users should have 
administrator privileges. 
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3. Click the Integration Parameters tab, and then create an integration parameter for the NSP 
authentication token. (Administrators and users with accounts on the target server can obtain this 
token from the NSP appliance as described in "Understanding NSP Authentication" below.) 


Parameter 

NSPAuth 

Type 

Password 

Value 

<NSP Authentication Token encrypted login credentials> 

Targets 

< Select targets for that TRM user> 


Tip: Best Practice Recommendations: 

■ Always set login credentials (passwords or authentication tokens) to type “Password” (not 
“Text”). (Credentials set to “Text” are not masked on the Ul and are sent as cleartext if the 
Tenderer is an external browser.) 

■ Always save login credentials to user account (Save to User), not to the target server. This 
strategy binds authentication details to specific users and better safeguards target server 
access. Also, you have tracking information based on logins as to which users entered 
which commands. 


4. Click Apply or OK to save your changes to the user. 

(For general information about setting up login credentials and access control lists for integration 
commands, see "Authorization and Authentication Settings" on page 643.) 


Understanding NSP Authentication 

Integrated TRM commands require use of an encrypted authentication string (token) to connect to the 
NSP appliance. (An integrated TRM command sends this token to the target NSP appliance as part of 
a URL to accomplish user login.) 

The authentication token is used to log in to an NSP appliance (instead of a user name and password 
combo). Users who want to send TRM commands to an appliance need to have a valid NSP 
authentication token. This is used to set up login credentials on users. The token is specified as a value 
forthe NSPAuth parameter for a particular user (in user accounts). 

How to Get an NSP Authentication Token 

To get an NSP authentication token, you need access to the NSP appliance. 

Log in to the NSP appliance, and generate the authentication token based on your login credentials. 

Note: Before you can generate an encrypted value as an NSP administrator or view it as a non- 
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admin user, the setting Allow Encrypted Authentication Credentials in URL must be enabled 
(set to Yes). By default, this setting is disabled. 

So, as a prerequisite, an administrator needs to navigate to Admin tab > Users & Groups > 
Settings > Authentication tab to enable this setting. 


1. Generate the token. 

There are two ways to obtain an encrypted value for an NSP user name and password: 

■ An NSP administrator user can view the encrypted values for all NSP users on the View 
Encrypted Authentication Credentials page (Admin tab > Users & Groups > Settings > 
Authentication > View URL Strings). 

The key is displayed after you click View URL Strings. Make sure the setting Allow Encrypted 
Authentication Credentials in URL is set to Yes, otherwise the URL strings do not show up. 

■ An NSP user (with non-admin privileges) can view the encrypted value for their user name and 
password on the Change Password For <User_Name> page. To get to this page, click 
Options in the top, right-hand side of any NSP screen. The authentication key is displayed 
under “Encrypted Authentication Credentials in URL is enabled”. For information on password 
restrictions see the ESM Administrator's Guide's topic on "Managing Password Configuration." 

2. Copy the token. On both the administrator and user pages, the authentication token is displayed in 
this form: er\c_autb=<AuthenticationKey> 

Tip: The authentication token is the string that follows enc_auth=. Be sure to copy only that 
string and do not include enc_auth=. A common problem with getting the TRM login to work 
with the integrated commands is not copying the full string, or including enc_auth= in the 
copy. 

3. After you get the encrypted value, use it as the value for the NSPAuth parameter (paste it into the 
parameter value field), as described in "Step 3 - Set up Users for TRM Access" on page 650. 

If you are setting up TRM commands on-the-fly (as you run the commands), you use this token 
during that process. For more on this, see "Entering/Saving Command Parameters at Runtime" on 
page 646. 


Tip: Best Practice Recommendations: 

■ Always set login credentials (passwords or authentication tokens) to type “Password” (not 
“Text”). Credentials set to “Text” are not masked on the Ul and are sent as cleartext if the 
Tenderer is an external browser. 

■ Always save login credentials to user, not to the target server. This binds authentication 
details to specific users, limits access to the remote server to appropriate users, and 
provides tracking information based on logins about which users entered which 
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commands. 

If you save authentication details as parameters on a target, you run the risk of opening up 
a remote server to any user who has access to the integrated commands (but not 
necessarily an account on the target server). And you have no per-user tracking 
information. 


Examples of Running TRM URL Commands 

When you have NSP target appliance information and user authentication details, you are ready to run 
TRM commands from the ArcSight Console. Here are some examples of what to expect when you run 
a TRM command. 

Attacker-Target Network Map 

This example shows a network map with an attacker/target scenario and network paths. 

Right-click on an event in an active channel, and choose Integration Commands > TRM 
Commands. 

On the TRM Commands dialog, select Network Maps and TRM Appliance 1 as the target appliance, 
and click OK. 

This logs you in to the target NSP appliance, and sends the Attacker IP address, Target IP address, 
and Target Port as parameters on the Attacker-Target Map command. 

As a result, we get this map: 


Maps 



Mouse over Attacker-Target connecting line to show the threat data detail (IP addresses, priority, and 
port) as pictured. 
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Investigate Node 


This example shows details on a selected network node. Right-click on an event in an active channel, 
select the field containing the IP address to investigate, and choose Integration Commands > TRM 
Commands. 


On the TRM Commands dialog, select Investigate Node and TRM Appliance 1 as the target 
appliance, and click OK. 


This logs us in to the target NSP appliance, and sends the selected node as a parameter on the 
Investigate command. 



Going Further with TRM Command Results 

From here, there are a number of ways you could leverage the details you get from the TRM examples. 

You can create a case based on the initial event you selected, and feed the NSP details into the case 
as Notes or an attached file. The drill-down information you get from a TRM Investigate Node 
command is typically richer. You can copy those details into case notes or into a text file and add it as 
an attachment. 

The Investigate Node display also provides a Simulate Quarantine option that lists actions TRM 
would take to quarantine the node. Running simulations and saving related details is useful where the 
security operations center (SOC) and network operations center (NOC) need to coordinate 
authorizations for taking actions. A SOC operator without authorization to quarantine nodes could 
investigate the node, run the simulation, and send the details to the NOC to take action. 

In this scenario, administrators might also use the TRM authorization queue. The operator who runs the 
TRM commands could quarantine the node, but the command would sit in an authorization queue until 
an administrator approves it to run. 
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ArcSight Logger Search Commands 

Note: This topic applies to ESM 5.x and 6.0c. 

Beginning with ESM 6.5c, HP introduced the ArcSight Command Center. The Command Center 
provides an easy way to search events in ESM and ArcSight Logger. 

Refer to the Searches topic in the ArcSight Command Center User’s Guide for more information. 

ArcSight Logger Search commands are integrated into the ArcSight Console and provided as standard 
content. These commands enable searches on ArcSight Logger appliances and are supported starting 
with ArcSight Logger v4.0. 

Configuring the ready-made integrated Logger commands involves specifying IP addresses for the 
target Logger appliances and saving login credentials on users who need Logger search access. 


Logger Integration Commands 

Note: This topic applies to ESM 5.x and 6.0c. 

Beginning with ESM 6.5c, HP introduced the ArcSight Command Center. The Command Center 
provides an easy way to search events in ESM and ArcSight Logger. 

Refer to the Searches topic in the ArcSight Command Center User’s Guide for more information. 


These integrated commands are supported in ArcSight Logger v4.0 and later versions. (These are 
defined in /All Integration Commands/ArcSight Administration/Logger.) 


Logger 

Command 

Description 

Logger 

Allows you to right-click an event in an active channel and run a search for one of the 

Search 

fields presented in a list. 


. Displays a pop-up dialog with search options. 


. Allows you to search by: 


Event Name 

Destination 

Source 

Destination and Source 

User 

Service Vendor and Product 


. You can select the Logger appliance on which to search. 
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Logger 

Command 

Description 

Logger 

Quick 

Search 

Allows you to right-click a field in an active channel to search based on the field and 
value selected. If there is more than one Logger appliance set up, a pop-up dialog box 
allows users to choose which appliance to search. 


Enabling Integrated Logger Searches 

Note: This topic applies to ESM 5.x and 6.0c. 

Beginning with ESM 6.5c, HP introduced the ArcSight Command Center. The Command Center 
provides an easy way to search events in ESM and ArcSight Logger. 

Refer to the Searches topic in the ArcSight Command Center User’s Guide for more information. 

You can use either of these approaches for setting up the Logger searches: 

• Configure target and authentication details before the commands are run (for example, a single 
administrator specifies Logger targets, users, and command parameter values). For this workflow, 
follow the steps below to: 

"1. Set up Logger Command Targets" below, 

"2. Set up the Logger Command Configuration" on the next page, and 

"3. Set up Users for Logger Access" on the next page. 

• Configure commands at command runtime (for example, if you launch a command based on an 
active channel selection and fill in the target appliance IP address, authentication token, and 
parameter values on-the-fly). 

If you have not pre-configured the command details, you are prompted to enter the right values 
when you run the commands. Information on how to run integration commands, see Running 
Integration Commands" on page 645. (This topic includes information about running commands and 
entering/saving parameter values at command runtime.) 

To enable pre-configured ArcSight Logger searches from the ArcSight Console, follow these steps. 

1 . Set up Logger Command Targets 

1. In the Navigator, click the Resources tab, and then navigate to Integration Commands > 
Targets. 

2. Create an integration target for your Logger Appliance, or edit an existing target in /All 
Integration Targets/ArcSight Administration/Logger/, such as Logger Appliance lor 
Logger Appliance 2. 
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3. In the Target editor on the Integration Parameters tab, add these parameters. 


Parameter 

LoggerHost 

Type 

Text 

Value 

<IP address or Host Name of the Logger Apptiance> 


4. If you have more than one Logger appliance, create an additional integration target for each 
appliance to be made searchable. 

5 . Click Apply or OK to save your changes to the target. 

6. For information about command targets, see 'Specifying Targets" on page 641. 

2. Set up the Logger Command Configuration 

1. In the Navigator, click the Resources tab, and then navigate to Integration Commands > 
Configurations. 

You can find the pre-built Logger command configurations in /All Integration 
Configurations/ArcSight Administration/Logger/ 

2 . Edit the Logger Search integration configuration: 

In the Configuration editor, click the Targets tab and add the integration targets you created 
earlier. 

3 . Edit the Logger Quick Search integration configuration: 

In the Configuration editor, click the Targets tab and then add one integration target from the list of 
targets you just created. 

4. Click Apply or OK to save your changes to the configuration. 

For information about command configurations, see "Using Configurations to Group Commands" on 
page 635. 

3. Set up Users for Logger Access 

1. In the Navigator, click the Resources tab, and then navigate to Users. 

2 . Edit the users that have access to the Logger appliance. In most cases, these users should have 
administrator privileges. 

3 . Click the Integration Parameters tab, and then specify the integration parameters for the Logger 
search 
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Parameter 

Description 

LoggerUser 

The Logger account name to use when accessing a Logger target. 

LoggerPassword 

The password for that Logger account. 

LoggerHost 

The IP address of the Logger host. 

OTPUser 

The Logger user account to use with the OTP authentication feature (see 
note, below). 

OTPPassword 

The password to use for the OTPUser specified above. 

LoggerPort 

For OTP, you must specify the port number for the Logger. Fora Logger 
appliance the port number is 443. 


Note: The One-Time Password (OTP) function requires that you are using Logger 5.1 or 
later. 

If you have an earlier version of Logger, then for Logger searches continue to use the 
LoggerUserand LoggerPassword as before. Until you install Logger5.1 orlater, searches 
display a message that it failed to negotiate a single-use session token and is proceeding with 
regular authentication. Just click OK to continue. 


For all of these parameters, you can specify a type of “Password” or “Text.” For Text type, the 
password appears in plain text in the session URL. This is not an issue for any parameter except 
passwords, so use text for the others but use the Password type for passwords. 

Save to Target means that this parameter automatically applies whenever any user is accessing 
the currently-specified target Logger. 

Save to User means this parameter is used automatically whenever the currently-logged-in user 
accesses any Logger target. 

5. Click Apply or OK to save your changes to the user. 

For information about setting up login credentials and access control lists for integration commands, 
see "Authorization and Authentication Settings" on page 643. 


Example of Running a Logger Quick Search 

Note: This topic applies to ESM 5.x and 6.0c. 
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Beginning with ESM 6.5c, HP introduced the ArcSight Command Center. The Command Center 
provides an easy way to search events in ESM and ArcSight Logger. 

Refer to the Searches topic in the ArcSight Command Center User’s Guide for more information. 


With Logger target appliance information and user authentication details, you are ready to run Logger 
searches from the ArcSight Console. 

Right-click on an event in an active channel, select afield such as Device Vendor or Device Product, 
and choose Integration Commands > Logger Quick Search. 
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This logs you into the target Logger appliance (for example, Logger Appliance 1), and sends values for 
the selected fields as parameters on the search command. 

You get the results of the search in the browser, and are now logged in to the Logger Web client. 


Network Tools as Integration Commands 

The following standard network tools are also provided as integration commands. You can find this 
toolset in /Integration Commands/Shared/ArcSight System/Tools/. You can edit these or add 
new commands, configurations, and contexts as described in "Defining Commands" on page 628 and 
"Using Configurations to Group Commands" on page 635. (Also see "Using the Network Tools" on 
page 53) 

With network tools integration commands you can: 
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• Define contexts for where tools show up on the ArcSight Console. You can customize 
integrated network tools and configure them for all types of views (charts, graphs, tables), and in the 
navigator, editors, and so on. Legacy network tools are available only on grid views; you cannot 
define the context. 

• Select and run commands on navigator tree items, ail types of views, and editors items. 

With integrated network tools, you can select various items in chart and graph views, on the editors, 
and in the navigator tree. Legacy network tools are limited to running only on the selected cell in a 
grid view (table) in the Viewer. 

• Configure access control lists (ACLs). You can grant or limit access to integrated network tools 
commands for particular user groups by setting the setting ACL permissions on the tools resource 
group. The integrated network tools reside under /All Integration Conf igurations/ArcSight 
System/Tools. You can control access to the tools commands and configurations groups (select 
the Tools group, right-click, and choose Edit Access Control) as described in "Granting or 
Removing Resource Permissions" on page 190. You can organize users and the tools themselves 
into various groups to fit with the permissions scheme you want to create. 


Tree Icon 

Resource 

Nslookup 


Resolves an IP address to a host or domain name or vice versa. 

Ping 


Determines whether a particular IP address is online and/or it tests and 
debugs a network by sending a packet and waiting for a response. 

Portlnfo 


Lists standard usage such as WWW or FTP, fora specified port number. 

T raceroute 


Shows the path from the ArcSight Console to the IP address selected in the 
grid view, reporting the IP addresses of all routers in between. 

WebSearch 


Search the Web through Google to find links to the keywords present in 
currently selected active channel grid view cells. 

Whois 


Looks up who is behind a given domain name; information might include 
addresses and telephone numbers. 


These are configured with default Velocity Expressions for parameters. You can edit the commands 
and configurations for these network tools as needed (and add new ones). 

To run a network tool, select an IP address in a grid view (for example, active channel, list, data 
monitor) and select Integration Commands > <Network Tool> from the context menu (for example, 

Integration Commands > ping). 

Note: The Send Logs command is not configured as an integrated command. See 'Using the 
Network Tools" on page 53 and "Send Logs" on page 1040 for information on that command. 
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To add or reconfigure legacy tools: 

1. Choose Tools > Local Commands > Configure. 

2. Select a tool and click Edit. 

Keep in mind that they have limitations compared to the new tools. 


More Integration Examples 

To experiment with building integration commands, you need one command and one configuration. 
Create the commands first because the configuration references the commands. 

The configuration also defines how command results are rendered, and references contexts where 
your new Integration Commands appear in the ArcSight Console right-click menus (for example, 
Viewers, Resource Panel, Editors, and more specifics within those contexts). 

To define targets (remote servers where commands run), add them to the configuration. 

Here are examples of how to set up a command to do a Google Search on a selected cell in the 
ArcSight Console, and how to set up commands that use Google Maps to locate a target and an 
attacker. The examples do not require a “target,” so just set up a command, add it to a configuration, 
and run it. The details of this and other types of commands and configurations are discussed further in 
the topics that follow. 

To add a command for Google Search: 

1 . Start by getting the format of the Google search. Do a Google Search in a Web browser. Copy the 
first part of the URL (everything before or to the left of the search term) from the Address bar, so 
you have it on your clipboard. (You paste in to the Parameters dialog in a later step.) 

2. In the ArcSight Console Navigator panel, select the Integration Commands resource from the 
drop-down menu and click the Commands tab. 

3. Right-click the group (folder) where you want to create the command and select New Command. 

4. On the Commands Editor, fill in these attributes: 

■ For command Type, choose URL. 

■ For Name, provide a user-friendly name like Google Search. 

■ For URL, click the browse button to get the Parameters dialog. Paste the Google search 

prefix into the Parameters dialog scratch pad: http://www. google. com/search?q= 

■ Click Attributes on the Parameters dialog to get a list of Velocity Expressions. Select the 
option, Selections > $selectedltem. The expression is added as a parameter to the search: 
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http : //www . google . com/search ?q=$selectedltem 



■ Click OK to close the Parameters dialog and save your changes. 

■ Click Apply or OK on the Commands editor to save the command. 



5. Set up the configuration and add the command to it: 

a. Click the Configurations tab. 

b. Right-click a group and select New Configuration. 

c. On the Configurations Editor, select URL as the configuration Type, and enter set these 
attributes: 

° The output will be rendered on a Web browser specified during Console installation. 

d. Click the Context tab. This sets where in the ArcSight Console the command is available. 
Click Add to get a set of context fields, then click into each field to select a location, type, 
selection, and data type. (You can add multiple contexts by clicking Add again.) Add one 
context to show in the Viewer in all “views” and to take the selected cell as the “selection”: 


Location 

Type 

Selection 

Data Type 

Viewer 

All Views 

Selected Cell 

All Data Types 
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When the search command is deployed as part of this configuration, and run using a right-click 
command in the context of the ArcSight Console, it searches on the text in the “cell” (Viewer 
table cell) the user selects in the ArcSight Console. 

e. Add the command to the configuration. On the Configuration Editor, click Commands. Click 
Add to get the command selector, select your Google Search command, and click OK. 


•=£ Integration Commands Selector 


Q-B Integration Commands 

QB admin's Integration Commands 

FTi r i 

B Tools 
13 B Shared 

SB All Integration Commands 
l+l B ArcSight Administration 
|j B ArcSight Foundation 
l+l B ArcSight Solutions 
l+l Cj ArcSight System 
l+l B JumpStart 
L+l B Personal 
l+l B Public 
S-B Unassigned 


OK 


Cancel 


Help 


f . Click Apply or OK on the Configurations Editor to save the configuration. 

6. Run the Search command you just built: 

a. Open any active channel, list, data monitor, or query viewer with a table style view. 

b. Right-click any cell in the Viewer that contains a term you would like to search on, and select 
Integration Commands > Google Search (or whatever you named the command). 

The command runs a search using the text from the selected cell as the search term, and 
returns search hits in your preferred browser. 
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To add a command for Google Maps: 

Use the same basic steps in the previous example for Google search to integrate a command named 
Google Maps. This Google Maps example lets you pass the GeoLatitude and GeoLongitude to locate, 
for example, an attacker and a target. Refer to the following information as a guide for the URLs in your 
integration command. 


Command 

URL and attribute 

Attacker 

http://maps. google. com/maps?q=${attackerGeoLatitude},${attackerGeoLongitude} 

T arget 

http://maps. google, com/maps ?q=${targetGeoLatitude},${targetGeoLongitude} 
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Chapter 24: Knowledge Base Authoring 

These topics explain how to do the basic tasks of managing Knowledge Base articles. 


Managing Knowledge Base Articles 

You can apply the following methods to incorporate knowledge base (KB) articles in the Console. 

• Write a new article in the Console using your preferred text or HTML editor. For this method, make 
sure you have set your Console preferences for your preferred editor. See "Setting Default Editors 
and Viewers" on page 78 for the procedures. 

• Import an existing file or web page. 

• Reference an existing file or web page. 

Writing or importing the article means the content is stored in the Console and you edit the content in 
the Console. If you edit an imported article in the Console, the original remains untouched. Conversely, 
editing the original of an imported article does not affect the content that resides in the Console. 
Referencing an article means the content is being maintained externally. 

To enter or change basic information about the KB: 

1 . On the Navigator panel's drop-down menu, choose the Knowledge Base resource tree. 

2. If you are creating a KB, right-click a group and choose New Article. 

If you are editing a KB, right-click the KB and choose Edit Article. 

Tip: In edit mode, the Launch Editor and Upload File buttons are enabled. 

3. In the Knowledge Base Editor, select the Article tab. 

4. On the Article tab, type in the Name text field for the new KB, or make edits for the existing KB. 

5. Optionally use the Summary field to add a brief description of the article. 

6. Optionally enter a different name for the information source in the Author/Credits field. 

At this time, the Upload File and Launch Editor buttons are still disabled for new articles. Note that 
this condition applies only if you are defining a KB for the first time. 

7. In the Import/Reference field, select Import to enable the buttons. 


HP ESM (6.9.1c) 


Page 665 of 1106 



ArcSight Console User's Guide 
Chapter 24: Knowledge Base Authoring 


From here, you can use the Console to write the article using your preferred editor. You can also 
choose to import an article or to reference an article. 

To write the article using your preferred editor: 

This assumes you have completed the steps to enter basic information about the KB. 

1 . Click Launch Editor to start your editor application. 

2. In the editor application, type the content of your article. Save the file. 

The file has an assigned filename using a default path where the Console is installed. On the 
Console’s edit panel for the KB, this path is inserted in the Origin URLfield. 

3. Click Apply to save the KB definition. 

After saving, the Origin URLfield is cleared. 

4. Verify that the content is added to the KB by clicking the edit panel’s Editor tab. 

If the content needs to be changed in the future, do it here. 

5 . Click Preview if you want to see how the article will appear in your default Web browser. 

To import an article: 

This assumes you have completed the steps to enter basic information about the KB. 

Note: When you select Import, only the content between the body tags of the HTML page appear. 
Therefore, you should use Reference when the HTML page uses JavaScript, uses frames, or 
includes images. Choose Import after you have used an editor to create a file specified in the 

Origin URL text field. 

1. In the Origin URL text field, type the URL or directory path to the page or file. 

2. In the Import/Reference field, verify that Import is selected. 

3. Click Apply to save the KB definition. 

4. Verify that the content is added to the KB by clicking the edit panel’s Editor tab. 

If the content needs to be changed in the future, do it here. 

5 . Click Preview if you want to see how the article will appear in your default Web browser. 

To reference an article: 

This assumes you have completed the steps to enter basic information about the KB. 
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1 . In the Origin URL text field, type the URL to the page or file that contains the article's information. 

2. In the Import/Reference field, select Reference. 

3. Click Apply to save the KB definition. 

4. Click Preview if you want to see how the article will appear in your default Web browser. 

To show an article: 

In the Knowledge Base window, right-click an article and choose Show Article. 

To move or copy an article: 

1. In the Knowledge Base window, navigate to an article and drag and drop it into another group. 

2. Choose Move to move the article, Copy to make a separate copy of the article, or Link to create a 
copy of the article that is linked to the original article. 

If you choose Copy, you create a separate copy of the article that is not affected when the original 
article is edited. If you choose Link, you create a copy of the article that is linked to the original 
article. Therefore, if you edit a linked article, whether the original or the copy, all links are edited as 
well. When deleting linked articles, you can either delete the selected article or all linked article 
copies. 

To delete an article: 

1. In the Knowledge Base window, right-click an item and choose Delete Article. 

2. In the dialog box, click Delete. 


Managing Knowledge Base Article Groups 

Knowledge Base article groups can be used to organize similar or related articles in a single location. 
For example, you could create a Denial of Service group to store specific articles about Denial of 
Service attacks such as a Ping Flood attack. 

Groups and articles can be managed with drag and drop functionality. You can move or copy groups 
and articles into other groups within the Knowledge Base resource tree. If a group is deleted, the 
articles within that group are also deleted. 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 

Use the procedures in this topic to create, edit, move, and manage your KB groups. 
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To create a knowledge base group: 

1. In the Navigator panel's drop-down menu, choose the Knowledge Base resource tree. 

2 . In the Knowledge Base window, right-click a group and choose New Group. 

A name text field appears under the group you selected. 

3. In the name text field, type in a name. 

4. Press Enter. 

To rename a knowledge base group: 

1. In the Knowledge Base resource tree, right-click a group and choose Rename. 

2. In the name text field, rename the group. 

3. Press Enter. 

To edit a knowledge base group: 

1. In the Knowledge Base resource tree, right-click a group and choose Edit Group. 

2 . In the Group Editor, type in the Name and Description text fields. 

3. Click OK. 

To move or copy a knowledge base group: 

1. In the Knowledge Base window, navigate to a group and drag and drop it into another group. 

2 . Choose Move to move the group, Copy to make a separate copy of the group, or Link to create a 
copy of the group that is linked to the original group. 

If you choose Copy, you create a separate copy of the group that is not affected when the original 
group is edited. If you choose Link, you create a copy of the group that is linked to the original 
group. Therefore, if you edit a linked group, whether it be the original or the copy, all links are edited 
as well. When deleting linked groups, you can either delete the selected group or all linked groups. 

To delete a knowledge base group: 

1. In the Knowledge Base resource tree, right-click a group and choose Delete Group. 

2 . In the dialog box, click Yes. 
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To update knowledge base groups: 

Supposing a group or article name was modified through another ArcSight Console, or a group or article 
was deleted, renamed, or moved from another ArcSight Console, refresh shows those changes. 

In the Knowledge Base resource tree, right-click the Knowledge Base group or article and choose 

Refresh. 


Associating Knowledge Base Articles 

Knowledge Base groups and articles can be associated with other resources such as cases, reports, or 

filters. 

To associate resources with KB groups or articles: 

1. Use the Navigator panel to locate an individual or group target resource, for example, a case or 
case group. 

2. Right-click the resource and choose Knowledge Base> Associate with. 

3. Use the Knowledge Base Article Selector to find and select an article to associate with the 
resource. 

4. Click OK. 

To associate grid elements with KB articles 

1. In a Viewer panel grid view, right-click an event attribute and choose Knowledge 
Base>Associate>Cell/Row/Column with. 

2. Use the Knowledge Base Article Selector to find and select an article to associate with the grid 
view's selected cell (data), row (event), or column (attribute). 

3. Click OK. 
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This chapter discusses the administrator tasks necessary to manage ArcSight ESM. 


Moving, Copying, Linking, and Deleting Resources 670 

Managing File Resources 671 

Locking and Unlocking Resources 674 

Selecting Resources 676 

Visualizing Resources 676 

Validating Resources 679 

Extending Audit Event Logging 684 

Common Resource Attribute Fields 685 

Saving Copies of Read-Only Resources 686 

Finding Resources 687 


Moving, Copying, Linking, and Deleting 
Resources 

You may need to move or duplicate a resource to better organize your work or to make editable copies. 
You may also need to delete resource definitions you no longer need. These tasks are described here. 


To move, copy, or link a resource: 


1 . Choose the resource type you want to work with in the Navigator (Active Channels, Filters, Rules, 
and so on). 

2. Navigate to and select a resource instance in the tree, and drag and drop it into another group of 
the same resource type. The system displays a dialog that provides options to move, copy, or link 
the resource. 


Drag & Drop Options 
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Select Move to move the resource, Copy to make a separate copy of it, or Link to create a copy of the 
resource that is linked to the original. 

If you select Copy, you create a separate copy of the resource definition that will not be affected when 
the original is edited. If you select Link, you create a copy of the resource definition that is linked to the 
original. Therefore, if you edit a linked resource definition, whether it be the original or the copy, all links 
are edited as well. When deleting linked resource definitions, you can either delete only the selected 
one or the selected one and all linked copies. 

To delete a resource: 

1. Navigate to the resource type you want to work with. 

2. Select a resource instance in the tree, right-click and choose Delete <Resource> from the 
context menu. 


Managing File Resources 

The Files resource tree, when populated, lists various files that have been saved as resources so that 
they are accessible to all users of the system who are authorized for such access. File resources 
include case file attachments, templates, and general-purpose shared files. 

In addition to the tasks detailed below, you can also rename or lock a file, get a Graph View of a file, 
and so forth. Simply select the file in the Navigator, right-click, and choose a menu option. Operations 
on groups are also available. Options may vary depending on which file or folder you have selected in 
the Navigator. 
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Uploading Files and Creating a File Resource 

1 . Choose the Files resource tree in the Navigator panel. 



2. Right-click a file group and choose New File. 

3. At the bottom of the File Editor panel, click the Upload button and select the local file to add. 

4. On the Upload File Content browser, choose the file to and click OK. 

5. On the File Editor Attributes tab, enter values for the attributes that identify the file. 

The Name attribute is initially the same as the Filename attribute, but you can change the Name. 

Certain attributes are read-only: Upload type is Console, and Filename, File size, and Mime type 
are set based on the selected file. 

6. Click Apply to update the file and leave the editor open, or OK to complete editing and close the 
editor. 


Working with Files 

To view files: 

You can also open a file resource from the File Editor by clicking the Open button. 
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Note: Case attachments and Manager-generated files are stored in Files/Shared/All 
Files/Attachments. 

1 . Choose the Files resource tree in the Navigator panel. 

2. Right-click a file and choose Download. 

3. Specify a location and file name for the new local file. 

Note: File resources can be downloaded as often as needed by any Console user authorized 
to access the file resources. Downloading a file does not change the file resource, or the 
shared file contents on the server. 

To download files locally: 

1 . Choose the Files resource tree in the Navigator panel. 

2. Right-click a file and choose Open. 

3. The file is downloaded to a temporary directory (in a sub-directory called arcsight-files) and 
launches in an appropriate viewer, usually a web browser. 

You can also Download a file resource from the File Editor by clicking the Download button. 

To edit file resource attributes: 

1 . Choose the Files resource tree in the Navigator panel. 

2. Right-click a file and choose Edit File. 

3. Change the values, as appropriate. 

4. Click Apply to update the file and leave the editor open, or OK to complete editing and close the 
editor. 

To replace file resource contents: 

1 . Choose the Files resource tree in the Navigator panel. 

2. Right-click a file and choose Edit File. 

3. Click Replace and select the local file containing the new contents for the file resource. The file 
resource name changes if the selected local file has a different name. 

4. Click Apply to update the file and leave the editor open, or OK to complete editing and close the 
editor. 
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To delete file resources: 

1 . Choose the Files resource tree in the Navigator panel. 

2. Right-click a file and choose Delete File. 

3. Click Yes to confirm the deletion. 

To add a folder or file to a Package: 

From the Files resource Navigator, you can add a file or folder to an existing package or create a new 
package and add the file to it. 

1 . Choose the Files resource tree in the Navigator panel. 

2. Right-click a file or folder and choose Add to Package. 

This brings up the Package Selector dialog. 

3. In the Package Selector dialog, do one of the following: 

■ Navigate to a package to which you want to add the file or folder, and click OK. (The file is 
saved to the selected package.) 

Or 

■ Navigate to a location where you want to create a new package and click New Package. This 
brings up the Package Editor where you can name and configure the new package. The selected 
file orfolder is included in the new package. 

For more about managing packages, see "Managing Packages" on page 693. 

To find a file: 

To find files stored on the Manager, choose Files in the Navigator and browse the folders or choose 
Edit > Search from the menus, enter a file name in the Search query field, and click Find. (See 
"Finding Resources" on page 687 for more information on this utility.) 


Locking and Unlocking Resources 

The locking and unlocking capability applies to the following ArcSight content: 

• System core content 

• User created content 
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ArcSight Standard Content 

A set of predefined standard content is installed by default. This content provides the foundation 
building blocks for ESM to work. 

Standard content is available in the ArcSight System sub-tree of each resource tree. For example, core 
content for the Filters resource is available in Shared/All Filters/ArcSight System/. 

The modification of ArcSight System content can adversely impact operation, therefore, it is locked by 
default. HP strongly recommends against unlocking or modifying this content. To unlock this content, 
contact Customer Support. 

Note: Use the resources available in ArcSight Administration and other content purchased from 
the Marketplace to create content that suits your needs. 


User-Created Content 

ArcSight users can lock any resource or a group of resources to which they have write access 
privileges. Locking prevents a resource from being modified or deleted. Once locked, such resources or 
groups can be unlocked only by these users: 

• The user who applied the lock; the lock owner. 

• Any user who has write permissions to the lock owner. That is, a user who has privileges over the 
user who applied the lock. For example, the administrator user has write permissions over all users 
by default. Therefore, if user joe locks a resource, the user administrator can unlock it. 


Note: You can make a copy of a locked resource even if you do not have the privileges to unlock 
it. 


You can edit resources in a locked group if you have write access privileges to the resource, however 
you cannot do the following: 

• Delete or remove resources from it. 

• Add a new resource to it. 


To unlock a resource: 

Right-click the locked resource and select Unlock from the drop-down menu. 
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Selecting Resources 

You often need to select resources to act on or use while authoring or configuring analysis tools. 
Selecting is often the first step in managing, authoring, or analyzing resources. 

While the Navigator panel is your usual means of selecting resources, you can also encounter the 
Select Resources dialog box any time selection is a necessary part of some task, such as adding a 
case group to a rule action or adding user groups to access control lists (ACLs). 

For resource groups, click to highlight and select the group you want to choose, then click OK. For 
options that allow multiple selections, select the check boxes next to individual entries in the list under 
a group, then click OK. 

This dialog is also displayed for setting user permissions on resources and operations. 

For information about setting permissions on resources, see 'Managing Permissions" on page 189. 

For information about setting action permissions on who can deploy data monitors, see also 
"Controlling Who Has Permissions to Deploy Data Monitors" on page 200. 


Visualizing Resources 

The resources presented in the Navigator panel or graphically in the Viewer panel are organized into 
hierarchical groups for easy browsing. Among similar types of resources, there can be logical 
relationships. Graphs can make these relationships readily visible. 


Graphing Resources 

1 . Choose any resource tree in the Navigator, with the exception of Notifications. 

2. Select and right-click one or more individual resources or resource groups. 

3. Choose Graph View in the context menu. 

The Viewer panel graphs the resources in a new channel. 
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Using Graphs 

Once generated, you can manipulate graphs further. There is a set of command buttons at the top of the 
view and a parallel set of commands available by right-clicking the graph itself. 


Resource Graph Command Buttons 


Command Button Description 

Inspect 


Opens a new event-monitoring channel, using the visualization's current 
timeframe, event and node filters. 

Refresh 


Updates the graph. 

Fit Content 

a 

Sizes the graphic to the available display space. 

Zoom 1 n / 

Zoom Out 


Increases or decreases the size of the displayed graphic. 

Zoom 

Selected 

© 

Zooms in on a selected portion of a graphic. 

Hierarchic 

Layout 

£ 

Presents nodes in a vertically descending cascade, similar to a family tree. 
Hierarchic layouts are appropriate when viewing event relationships that 
have a common root. 

Organic 

Layout 

S 

Displays nodes in an arrangement based on minimum edge length, which 
tends to cluster nodes that relate to a common node. Likewise, node clusters 
with nodes in common also tend to group together. 
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Resource Graph Command Buttons, continued 


Command 

Button 

Description 

Circular 

Layout 


Positions nodes in hub-and-spoke arrangements with each node radiating 
edges to, or receiving edges from, the nodes with which it interacts. Circular 
layouts are most useful when multiple roots are present or there are a number 
of source-target relationships to clarify. If an organic layout is difficult to read 
because the edges are too dense, try a circular layout instead. 

Orthogonal 

Layout 

J 

Arranges nodes on the basis of logical connections, using electrical 
schematic-style right-angle layouts. These layouts are very useful for clearly 
tracing connections and identifying node clusters. 

Overview 

iS 

Opens a reduced rendering of the entire graph. You can drag the highlighted 
section in the reduction to move the displayed area in the main view. 

Hierarchy 

Tree 

£ 

Opens a complete list of the nodes plotted in graphic layouts. Click a node in 
the list to scroll to that node in the main view. 

Print 

— 

■i — h 

Prints the displayed graphic. 

Export to 
JPEG 


Create and save a JPEG-format copy of the current image. 

Add Graph 
View to 

Case 

© 

Adds the current graph view to a case you select. 

Choosing this option opens the Case Selector dialog, where you can browse 
cases. Select a case to which to add the current graph view and click OK on 
the Case Selector dialog. The graph view is added to the selected case as an 
attachment, accessible on the Attachments tab in the case editor for that 

case. 

Help 

IT) 

Display the relevant ArcSight Console online Help topic. 

Snapshot 


Creates a new copy of the visualization itself. This graphic is not associated 
with a dashboard, even when starting from a dashboard viewer. 

Snapshot 

Selection 


Opens a new visualization that contains only the selected nodes and their 
connecting edges. 


Configuring Resource Graphs 

1 . Choose any resource tree in the Navigator, with the exception of Notifications. 

2. Select and right-click one or more individual resources or resource groups. 

3. Choose Graph View in the context menu. 
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4. Hover cursor or click anywhere in the Viewer panel, and right-click Configure Resource Graph 
option on the context menu. 

This brings up the Configure Resource Graph dialog where you can specify which resources to 
display in graph views. 

5. Select resources to show or hide. (Click checkboxes to toggle show/hide options on resources. 
Resources with check marks are configured to show for the selected graph view.) 

6. Click OK to save your changes. 

For more information, see 'Selecting Resources" on page 676. 


Viewing Resources in Grids 

While the grids you see in the Viewer panel are most often views of events, these grids can also 
display organized sets of information about resources in the Navigator panel. 

In the Navigator panel, certain resource groups include Grid View in their right-click context menus 
This command causes the items in the group to display in a grid view, where you can review them 
using the sorting and column customization features that grid views offer. You can also right-click 
resource items in grid views and use the same context commands that those resources have in the 
Navigator panel. 


Validating Resources 

Resources can break or become invalid because they are improperly built or cannot find other 
resources they depend on. The following topics describe how to identify valid and invalid resources, 
show how to troubleshoot and fix broken resources, list requirements for valid resources, and provide 
tips for manual and automatic resource validation. 

Caution: 

It is possible that dependent resources are pointing to the wrong resource. This usually happens if 
you rename a resource, then re-use the old name on a new resource of the same type. The 
dependent resources will be linked to the old name. To avoid this problem, don’t re-use an old 
name on resources of the same type. An example of a dependent relationship is that of a query 
depending on a trend. 


About Valid and Invalid Resources 

Valid resources show up in the Navigator with their associated icons as described in "Navigating" on 
page 40. 
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A resource can "break" or become "invalid" either because it is constructed improperly (for example, 
when an active list schema does not match the underlying table) or because another resource it 
depends on is missing from the database (for example, when a rule references an unavailable filter). 
The latter can happen when a resource used in other resources is deleted from the Manager, or not 
retained during an upgrade, import, or export. 


Invalid resources show up in the Navigator as broken or tom. For example, the Navigator displays a 


valid filter like this: 


and an invalid filter like this: UU. An invalid resource also includes an “Invalid 


Reason” field under on the Attributes tab of its editor, as described in " Common Resource Attribute 
Fields" on page 685. 


A valid resource is fully available to other resources that reference it, and can participate in the event 
flow, trends, reports, data monitors, channels, filters, rules, and so forth. 


An invalid resource cannot participate in the event flow or other resources in real time. For example, an 
invalid asset cannot participate in event asset resolution. Correlated events in which the source or 
target address points to the invalid asset are not generated. Similarly, an invalid rule does not trigger 
and generate correlation events. 


Fixing and Validating Resources 

When a resource become becomes invalid, its Editor includes a Validate button that you can use to 
test and validate the resource after you fix it. Clicking the Validate button on a resource that was 
previously broken results in a check of the resource logic and dependencies. If the system determines 
the resource is now valid, the resource icon in the Navigator is updated to reflect a working resource. If 
the system determines the resource is still broken, an error message describes the problem. 

The general flow of steps to fix and validate a resource are: 


1 . Identify an invalid resource. Sometimes problems with filters or rules (which are used in many 
other resources) are a result of broken resources. (A valid resource looks like this: 0 , and an 
invalid resource looks like this: 0) 

For example, if "My Top Threats" filter depends on "My Hotlist" filter, removing "My Hotlist" filter 
breaks "MY Top Threats" filter. 


A scheduled job (like a scheduled rule group or archived report) can also break if one of the 
resources it depends on is missing. The broken icon fora scheduled job shows up on the Current 
Jobs list. 


2. If you do not already know why a resource is broken, open its editor (double-click the resource in 
the Navigator panel) and click Validate in the resource editor. Validate gives you an error message 
that describes the problem. The error dialog includes a Copy button for copying longer messages 
to an external editor. 
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3. Fix the problems with the resource. This may involve adding back in missing resources or 
rebuilding the resource to fit various other requirements as described in Troubleshooting Invalid 
Resources below. 

To continue with our example, adding back in the filter "My Hotlist" would fix the problem we 
mentioned in the beginning of the procedure. 

4. In the resource editor, click Apply to save changes to the resources you modified. 

Tip: For problems that can be validated on the local client, you can click Validate before 
clicking Apply and if the resource is fixed its "working" icon is immediately reflected in the 
Navigator. However, for other types of problems; you need to Apply the changes to the 
resource before you Validate the resource. This is because some types changes must be 
processed on the Manager to determine dependencies and relationships to other data not 
available on the local client. 

If you think you have fixed a resource but it is still not showing as fixed in the Navigator, make 
sure you Apply all the changes you made to it and then click Validate again. 

5. In the resource editor for the resource that was broken, click Validate. If the resource passes 
validation, its icon in the Navigator updates to reflect a working resource. 
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In the resource Editor for the resource that was broken, click the 
Validate button. If the resource passes validation, its icon in the 
Navigator updates to reflect a working resource. Otherwise, the broken 
— icon remains and an error message describes the problems. 

Some problems require saving fixes to the Manager, so be sure to dick 
Apply and save changes to resources you fix before you dick Validate. 
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To validate a scheduled job, click the Open scheduled jobs list tool button () to display scheduled 
jobs in the Viewer, right-click the job you want to validate, and choose Validate from the context menu. 
If the job passes validation, its icon in the Current Jobs list updates to reflect a valid task. 


Troubleshooting (Requirements for Valid Resources) 

The most common cause of an invalid resource is a dependency issue; another resource that the 
broken resource depends on is missing from the database. Some resources have additional 
requirements or limits that can also affect validity. Following is a summary of requirements for creating 
valid resources. 

If any of these requirements are not met, the resource will break. To fix the resource, edit its definition 
to be in line with these requirements. 

• All Resources - If the definition for a resource references another resource, the referenced 
resource must be available in the Manager database. This requirement is true for all types of 
resources. 

• Devices and Assets - Each asset address must be unique within a zone, an asset can belong to 
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one zone only, and the asset IP address must fall within the address range of its network zone. 

• Device and Asset Ranges - Start addresses must be less than end addresses, asset ranges must 
be within the address range of the associated network zone, and asset ranges should not overlap 
another asset range in the same zone. 

• Zones - Start addresses must be less than end addresses and network zones should not overlap 
other zones in the same network. 

• Reports - Report templates cannot contain more than 20 charts or more than 15 tables. 

• Active Lists - Active List schema must match the underlying table and must not include 
programming errors. 

For more information, see the Administrator’s Guide topic on Resource Validation. 


Automatic and Manual Validation 

You can validate individual resource manually through the Console with the Validate button as 
described above. 

Resource validation takes place automatically during an upgrade, package import or export, or when 
you insert or update a resource. Administrators can use a stand-alone, command-line utility on the 
Manager machine for validating resources and generating validation reports on an off-line Manager. 
This is often useful after an upgrade. 

For more information, see the Administrator’s Guide topic on Resource Validation. 


Resource Validation During Upgrade 

If the Manager detects a conflict during an upgrade or import process, it invalidates the conflicting 
resource, and continues with the upgrade or import process. The dependent resources for the 
conflicting resource is automatically re-validated and disabled after the resource validation process 
completes. 

After an upgrade process, a report called validationReport . html is generated in the <ARCSIGHT_ 
HOME>/upgrade/out/<time-stamp> directory. After an import process, you can check the Console to 
make sure that you do not have any invalid resources. You are expected to fix the invalid resources 
manually. After you resolve the conflict, the dependent resources for the conflicting resource is 
automatically re-validated. 

An invalid resource cannot participate in the event flow, trends, reports, data monitors, or channels in 
real time. For example, if an asset is marked invalid, it cannot participate in the event asset resolution. 
As a result, correlated events in which the source or target address points to the invalid asset are not 
generated. Similarly, when a rule is marked invalid, it does not trigger, therefore, the corresponding 
correlation events are not generated. 
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Extending Audit Event Logging 

Updates to existing resources are logged as audit events, as described in “Resources (Configuration 
Events Common to Most Resources)” under "Audit Events" on page 812. 

If you want to get additional details within the “update resource” audit events (beyond what is provided 
by default), you can enable a resource audit property on the Manager to specify which resources should 
show extended audit event information. 

To configure resources for more detailed update auditing, add a URI to the 

resource, audit, update, uris property in the server . properties file (refer to the topic, Managing 
and Changing Properties File Settings , in the ESM Administrator’s Guide for details). For example: 

resource . audit . update . uris=/All Users/ 


turns on extended audit logging for all resources under the /All Users/ subtree. 

Leaving this property blank would turn this feature off (and show only default audit information). 

To show detailed audit information for multiple resource types, list resource URIs separated by 
commas (no spaces). For example, to show extended update audit logging for users and system 
assets, set the property like this: 

resource. audit. update. uris=/All Users/, /All Assets/ArcSight System Administration/ 


Extended information on the resource update is logged in two places: 

. In the internal audit event generated for the resource update, Device Custom Strings is set with 
the update information. The audit event information is shown in the Device Custom Strings field 
in this format: 

<UUID generated for this changes :[<name of attribute> : <oid values:<new vaiues]+ 

• The update information is also written to a log file, <ARCSIGHT_HOMEs/logs/default/resource_ 
update_audit . log file. The audit event information is shown in the log in this format: 

<UUID generated for this changes: <URI of resources :<ID of resources :[<name of 
attributes :<otd vaiues:<new vaiues]+ 

Tip: How to interpret the resource update log: 

■ The “+” in the message format examples above is regular expression notation used to 
indicate that there can be one or more of <name of attributes :<o id vaiues:<new 
values triplets shown in the audit event. 
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■ Any character in any attribute name or value is escaped with a backslash to 

■ Any “\” character in any attribute name or value is escaped with a backslash to 

Common Resource Attribute Fields 

The following fields are common to several types of resources. You can find these fields in the resource 
editor Attributes tabs forthe resources in Common, Assign, Parent Groups, Creation Information, and 
Last Update Information sections. (See also "Resource Attributes" on page 1026.) 

Common 

Entering data in the Common section is optional, depending your environment setup. 


Common 

Fields 

Description 

Resource 

ID 

Readonly field that shows the ID that ESM has assigned to this resource when it was 
created. 

External ID 

An identification string suitable for, and which can be referenced by, systems outside 
ESM. Common applications of External IDs include appropriate naming for Case and 
Asset resources that are tracked in common with defect reporting or vulnerability- 
management systems. If your system interfaces with a third-party incident tracking 
system, such as Remedy, enter an ID that corresponds to that system. Your 
administrator can advise you on the correct values for this field, if applicable. 

Alias 

(Display 

Name) 

An optional alternate identification string used for referencing resources. If given, this 
alias appears in place of the resource's name everywhere it may be seen. Your 
administrator can advise you on the correct values for this field, if applicable. 

If you use an alternate event naming scheme in your environment, enter an alias for 
this resource here. 

Invalid 

Reason 

If a resource is broken or invalid, an “Invalid Reason” field is included in its Attributes 
table. An abbreviated explanation is shown in this field. (See also " Validating 
Resources" on page 679.) 

Click the browse button at the end of this field to get a popup dialog that shows the 
full text of the explanation. 
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Common 

Fields Description 

Description 

Description of the resource. 

Use this field to communicate the purpose of this resource to other users. For 
example, if this is a resource that leverages or depends on another resource (for 
example, a query viewer or trend that uses an SQL query), this is a good place to make 
note of that relationship. 

Version ID 

The globally unique version ID for this resource. Version IDs are assigned when you 
export a resource as part of a package, if the resource has changed. 

Deprecated 

Toggle to indicate whether the resource is current or deprecated (obsolete). 


Assign 


Assign Fields 

Description 

Owner 

A user selected from the Users resource tree who should be notified about this 

resource. 

Notification 

Groups 

The user groups selected from the Users resource tree who should be notified 
about this resource. 


Saving Copies of Read-Only Resources 

Although you may be limited to read-only access to certain resources in the Navigator panel, you do 
have the option to save a copy of such a resource to your own group where you have write access. 

1 . Click the Save As button to make a copy of the resource and save it in a specified group to 
display the resource group selector dialog. 

2. Select the group in which you want to save a copy of the resource. 

3. Specify the name you want to assign to your copy of the resource. 

4. Click OK. 

The resource copy appears in the resource tree. You have write permission on this copy. 

The Connectors, Users, and Notification editors do not support Save As functionality. In these editors, 
you see the OK/Cancel/Apply buttons, but the fields for those resources are read-only. 
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Finding Resources 

Apart from visually navigating the resources in the Navigator panel, you can also find items in resource 
trees by searching or by locating them. 

The search capability uses conventional query elements to search the entire set of system resources, 
returning a ranked list of qualifying items. Each user sees only those resources for which they have 
permission, regardless of the query. You can search for a string in All Resources or within a particular 
resource, for example, Cases. 

Related topics: 

• "How Fields are Indexed" below 

• "Using Text Search Syntax" on the next page 

• "Using the Search Field on the Console Tool Bar" on page 690 

• "Using the Search Result Columns" on page 692 

• "Locating Specific Resources" on page 692 


How Fields are Indexed 

ESM indexes fields at multiple levels, the lowest level covering a limited number of fields. The scope of 
the search increases as the index level goes higher. 


Search index levels 


Indexed fields 

Index 

level 

Affected 

resources 

Index only these fields: name, id, uri, description, type, disabled, 
lockedBy 

0 


Index fields in level 0 plus additional fields such as an asset's IP 
address or host name. 

1 

Asset 

Index all attributes associated with a resource. This level should 
satisfy most user requirements for text searches. 

2 

All other resources 
except Asset 


Caution: Levels 3 and 4 are also supported and include relationships between resources. 
Increasing the index level may allow you to search deeper, however, the size of the index will 
increase and performance will slow down. 


Default search level settings: 

The default search index levels are defined as follows: 
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search . index. level=2 
search . index. level .As set=l 

You can change the level for all resources or specific resources, as described in the following 
procedure. 

To customize the search index level: 

1 . Refer to the topic on editing server properties in the ESM Administrator's Guide for instructions on 
how to add settings in the server, properties file. 

2. To change the default of 1 for the Asset resource, add the setting in this format: 
search . index. level. Asset =number 

where number can be 0 or 2. For example, if you use 2, this means Asset will be indexed in the 
same way as all resources. 

3. To change the default for all resources other than Asset, add the setting in this format: 
search . index. level=number 

where number can be 0 or 1 . 

4. To customize the level for specific resources, add one statement for each resource you want to 
customize. For example: 

search . index . level . Resource=number 

where Resource can be any resource, and number can be 0 or 1. 


Using Text Search Syntax 

The search feature uses the Apache Lucene syntax. Lucene’s query parser interprets the following as 
special characters: 

+ -&& || !(){}[] A " ~ * ?: \ 

If your query string includes any of these special characters, you escape them with a backward slash 
(\) for your query to work correctly. For example, if your search string includes (1+1): 2, you write it as 

\( 1 \+ 1\)\:2 

However, if your query string starts with a special character, enclose the entire string in double quotes. 
For example, to search for this Resource ID: 

A VVsOXg4BABCAIEuBhI LMyg== 

Enter 

" A VVsOXg4BABCAIEuBhI LMyg==" 

in the query text field. You also use double quotes to enclose a phrase, such as 
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"keep them together” 

For additional information about the Apache Lucene syntax, go to 

http://svn.apache.org/repos/asf/lucene/java/tags/lucene_1_4_2/docs/ 

and read the document, queryparsersyntax.html. 

Write your queries using the documented conventions. 


Apache Lucene Syntax Relevant to Querying for Resources 


Query 

Elements Descriptions Examples 

Full or 
partial 
strings 

Phrases, words, or partial words. 

"Attack Notification" 

notification notif 

Wildcards 

Question marks (?) for single-character substitutions 
and asterisks (*) for multi-character substitutions. 

attack?? (attacker, attacked) 
notif* (notify, notifier, 
notification) 

Boolean 

Operators 

Use AND and OR to join strings. 

attack AND suspicious AND high 

Fields 

Resource field labels (grid view columns) followed by 
a colon, with the data expressed as plain strings, 
Boolean strings, quoted strings, or parenthetical 
expressions. 

type:datamonitor AND 
name: "event counts" 
name: "address space" name: 
(address+space) name: 
(+address space) 

Exclusion 

Use NOT, the minus sign (-), and the exclamation 
point (!) to exclude strings. 

at???? - attack at???? NOT 

attack at???? AND ! attack 

at???? AND ! attack AND 
! type: zone 

Proximity 

Extend data-field queries' scope with a proximity 
factor expressed as a numeral following a tilde (~). 

The numeral sets the maximum number of words 
allowed between the specified words in the resources 
found. 

name:("top events"~1) (top 
attack events) name:("top 
events"~2) (top serious attack 
events) 

Fuzzy 

Broaden query results with a relative letter- 
substitution factor expressed as a decimal fraction 
following a tilde (~). The values 0.0 to 0.9 apply, with 
the higher values increasing the substitutions made in 
the string. 

name:mssp~0.2 
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Entering Values: Examples 


Fields Details 

Dropdown fields 

For dropdown fields that offer a list of values, enter the specific 
list item. 

For example, fora case's Ticket Type, enter Internal. 

Dropdown fields with code and 
value pairs 

For dropdown fields that offer a list of codes and their 
corresponding values, enter the code only. 

For example, fora case's Frequency, enter 0 to denote Never or 
Once. 

Search narrowed to specific fields 

To narrow your research to a resource's specific field, use the 
format 

resource: fie LdName=somevaLue 

For example: 

case: name= MyC ase 

The fieldname must match the database column name. Column 
names follow the camelcase format. You can derive the 
fieldname from the field's label on the Console. For examples: 

* If the label is Name, the fieldname is name. 

* If the label is Ticket Type, the fieldname is ticketType. 

. If the label is Estimated Restore Time, the fieldname is 

estimatedRestoreTime. 


Tip: Refer to "How Fields are Indexed" on page 687 for information on how to fine tune your search 
index level. 


Using the Search Field on the Console Tool Bar 


1. In the Search field 


cv 


on the Console toolbar, type a name or phrase. 


Refer to "Using Text Search Syntax" on page 688 for guidance on search syntax. 


2. Click the Find Resource button ( ). 


The Search hits are displayed in the Viewer. Single-click an item to display a preview of its definition in 
the Details pane on the Viewer, or double-click it to open its definition in an Editor in the Inspect/Edit 
panel. 
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To limit a search to a particular resource type, click the drop-down menu tab on the Search field and 
choose a resource type from the menus. Notice that some resource types have sub-types from which 
you can choose. If you limit the Search to a resource type, an icon representing the resource type you 
are searching on is displayed in the Search field (instead of the standard looking glass Search icon). 


For example, to search fora name or phrase only in Trends, choose Reports > Trends from the 
Search drop-down, enter the search string, and click the Find Resource button. 

The Search field in the toolbar accepts all the Query Options described below. 


To limit the Search to items of a particular 
resources, dick the Search drop-down button and 
select a resource type, then enter the Search 
string and click the Find Resource button. 

Note that some resource types have sub-types 
you can select; for example, Reports > Trends. 


- Type the name or phrase associated with the 
item you are searching for (you can include 
spaces in the Search string; for example, 
Logins) and click the Find Resource hutton. 
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Double-dick the Item to open In it In an Editor. 


As an alternative to using the quick Search field option, you can get a full Search panel in the Viewer: 

1 . Choose Edit > Find Resource in the Console's menus, or press Ctrl+F. 

2. In the Viewer panel's Resource Search tab, enter a query string in the Search query line, set the 
number of results to allow, and click Find. See "Using Text Search Syntax" on page 688 for 
guidance on search syntax. 

3. When the search returns its results, click any item to see its details or click a result column 
heading to change the order. 

When you click a resource listing in the Details panel, it shows you the various pieces of related 
system information that justified that item's ranking. 
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Using the Search Result Columns 

The Find Resources viewer displays the resources found by the search. Click any column heading to 
toggle between descending and ascending order. 


Column Description 

Score 

Ranking of resources a query returns, based how frequently the search term appears in 
each resource. 

Type 

Top-level categorization of the resource as shown on the Navigator panel, for example, 
Active Channel, Asset, Rule, and so on. 

Name 

The full name of the individual resource. 

URI 

Full uniform resource identifier for the individual resource. 


Locating Specific Resources 

The resource trees in the Navigator panel are useful for finding and using the security assets available 
in your organization and provided by ArcSight. However, when you are working with a particular 
resource in an editor or grid view, locating that item's position in a heavily populated resource tree can 
be inconvenient. 

You can use two right-click commands to instantly spot resource entries in the Navigator panel, from 
applicable grid view resource listings or resource editors. 

1. In an entry in a resources grid view, or in the top tab of a resource editor, right-click and choose 

Find Osset type> in Navigator. 

2. Look for the highlighted item in the Navigator panel's resource tree. 
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Packages are collections of resources that can be installed into the system resource tree. 
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To access available packages, click the Packages tab of the Navigator panel. The package tree 
appears, and you can click to expand installed packages to see the resources within. When the 


) it displays uninstalled 


package button in the upper left is highlighted with a dark background (L 
packages: this is the Advanced view. In the Advanced view, it also shows all the resources on which 
explicitly included resources depend. For example, a report might be explicitly included in a package, 
but any queries and templates are also implicitly included, unless they are explicitly, directly or 
indirectly (think groups), excluded. 


The icon for uninstalled packages is grayed out (© ). When you click this button, the Normal view 
does not show uninstalled packages. The Normal view of the package contents only shows resources 
explicitly included in the package. When you toggle between views, each view remembers which 
packages were expanded, and restores the tree to that state. 


In the Advanced view, you can right-click an uninstalled package and select Show Package Archive 
Contents to show the resources in the package. 


In either view you can right-click an installed package and select Show Current Package Archive 
Contents to show the resources in the package. 

These options list all resources in the package, including details such as resource name, type, and full 
path to location in the tree. 
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Creating or Editing Packages 

When you add a group to a package, all the group’s contents are automatically included. For top level 
groups (<Resources>l All <Resources>), the package therefore includes all folders that come with 
ArcSight, which may present a problem if the package is imported in another ArcSight system. If you 
defined resources directly under the All <Resources> node and you want to add these resources to a 
package, create a group and add the resources there. 

It is also important to note that when you delete a package containing a group, you delete members of 
the group that were added after the package was created. If it is a top-level group (<Resources>l All 
<Resources>), you would be deleting all of those resources. Packaging sub groups gives you more 
flexibility and less risk. Also see "Backing Up and Restoring with Packages" on page 703. 

When editing packages, you should consider whether you need to export it before you change it so you 
have a backup, and possibly export it when you are done, to update or create a new backup. 

Tip: Organizing your package contents 

Users typically create packages according to resources such as a package for lists, another 
package for queries, and so on. 

You can also consider creating packages according to use cases. For example, if you have 
created rules that act on specific lists, include those resources in the same package. 


To create or edit a package: 

1 . Choose the Package group in the Packages tree. 

2. To create a package, right-click the group and choose New Package. 

To edit a package, right-click the package in the group and choose Edit Package. 

3. In the Inspect/Edit panel, set or change the attributes as appropriate. Some of these attributes may 
not appear if they do not apply. The only required field is the Name field and many field values are 
supplied by the system: 

Package Editor Attributes 
Name 

Enter a name for the new package. 

Required Packages 

Specify the packages that must be installed for this package to function. 
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Package Editor Attributes 
Optional Packages 

Specify packages that are related to this package, but which are not required for it to function. 

Required Features 

Enter any features that must be available for this package to function. The pick list of features 
includes Pattern Discovery, for example. 

Installed 

This is a read-only status indicator. If it is checked, it indicates that the package is installed, 
which new packages are by default. You can uninstall a package by right-clicking it in the tree 
after you have created it, and selecting Uninstall Package. The icon for uninstalled packages is 
grayed out. 

Update Available 

This is a read-only status indicator. If checked, it indicates that a different version of the 
package was imported, but has not been installed. The icon for packages in this state has a 

small white up arrow in the lower left corner (&- ). 

Author Name 

Enter the name of the author or source for the new package. 

Package Version 

The package version can be any string, but the recommended format is n.n.n.n, with numbers 
in decreasing importance (major, minor, release, build). 

ArcSight Version 

This is a read-only ESM version that is the minimum product version needed to support this 
package. 
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Package Editor Attributes 
Format 

Specifies the format to use for archiving. This affects the resources that are included in the 
package, the resource attributes that are retained in the package, and how conflicts are handled 
during package installation. 

Tip: If your package contains lists, see also 'List Data" on page 704 for additional help with 
formats you can use. 

■ Contentsync - Use this if you intend to synchronize content among other Manager peers. 
The Manager that is the source of the contentsync package is the designated publisher, 
while other Managers are the subscribers (content management feature). For details on 
content management and the establishment of peer relationships, refer to the the ArcSight 
Command Center User’s Guide. 

Note: Not all packages are eligible for content synchronization. See 'Supported Package 
Resources for Content Synchronization" on page 699 for more information. 

■ Default - Use this for backing up resources on a Manager. This format includes additional, 
such as data in active lists, including information specific to a Manager, whereas other 
options do not. 

■ Export - Use this for packaging resources for transport between systems. Manager-specific 
information is excluded from the exported package for resources with attributes that would 
otherwise retain such information upon a "Default" export. 

For example, a trend packaged in "Export" format does not include Start End Time trend 
attributes nor original table IDs. Instead, the imported trend uses Start and End times 
corresponding to when the package is installed on a new system. Also at install, a new trend 
table is created. (See descriptions of Imported Trend Start Time and Imported Trend End 
Time fields under 'Trend Attributes" on page 431.) 

Similarly, active lists and session lists packaged in "export" format do not include Locked By 
attributes, table IDs, or session/active list entries. New tables are created when the lists are 
imported, and the other attributes are tracked when these resources launch on the new 
system. 

This format packages other resources similarly as a means of optimizing portability for 
content distribution. 

Standard system content is packaged using the "Export" format. Also, Managed Security 
Service Providers (MSSPs) who provide content to installations at various customer sites 
might package resources in this format. 

■ Exportuser - Use this format only for exporting user accounts with no permissions, personal 
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Package Editor Attributes 

group information, or relationships to other resources. If you want to export user accounts 
that include permissions and groups, use the default format instead. 

■ Upgrade - For use by HPE Professional Services only. This format might be used for 
resource upgrades of older systems in some circumstances. (Usually, standard upgrade 
utilities and processes are used instead.) 

Obfuscated 

Check this box to encrypt the contents of the ARB file, making it impossible to view without 
importing it. 

Exclude Reference IDs 

Check this box to remove reference IDs from the package when it is exported. Generally, you 
would exclude reference IDs only when you plan to import the package into a different system. 
Leave the box unchecked to include reference IDs, which improve performance for packages 
that are imported to the same Manager from which they were exported. 

Creation Timestamp 

The date and time when this package was last exported (archived). 

Required package For 

Shows any other packages for which this package has been set as a required package. These 
other packages are thus “Dependent Packages.” 

Optional Package For 

Shows any other packages for which this package has been set as an optional package. 

Archive ID 

This system-assigned ID that is refreshed whenever you export the resource. 

Available Archive Translations 

If the archive defining the package has been rendered into different languages, they are listed 
here. 


Also refer to the common attribute fields described in " Common Resource Attribute Fields" on 
page 685. 

4. Click the Resources tab in the Package Editor (see "Adding Resources to Packages" on the next 
page). Click the Add drop-down menu to select the resources that this package should contain. 
You can select groups or individual resources. 
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Check the Children Only box to include resources below the specified resource in the tree. For 
example, selecting the group /All Session Lists/ArcSight Administration/User and checking 
Children Only would include only the session list resources in that group, not the group itself. 

Check the Only If Referenced box to conditionally include resources if they are referenced by 
other resources without the Only If Referenced box checked. This is best when used in 
conjunction with the Children Only attribute and the resource being added is a group. 

5. To exclude resources from the new package by resource type or by specifying actual resources to 
be removed, use the Removed Resources panel in the lower half of the Resources tab. To 
exclude resources by type, click the Excluded Resource Types tab and select from the list of 
available types. To exclude specific resources, click the Removed Resources tab, click the Add 
drop-down menu, then choose the resources you wish to exclude using the resource picker. This 
tab also includes a Children Only option, but an If Not Included option instead of an Only if 
Referenced option. 

Caution: The only way to exclude Asset Category resources from a package is to specify the 
Asset Categories explicitly using the Removed Resources tab. 


Tip: If you include locked resources or shared system resources, then when uninstalling or 
deleting a package, you get a message that the package has a number of locked resources, 
and therefore cannot be uninstalled or deleted. 

When that happens you can either unlock the resource and continue or choose to skip the 
locked resource, in which case it will not be uninstalled or deleted. 

6. Optional: To add information in the Notes tab, refer to 'Using Notes" on page 57. 


Adding Resources to Packages 

You can add to a resource to an existing package by using the right-click menu on a selected resource 
in the Navigator tree. 

Tip: Do not add shared system resources and locked resources to packages. If you do, 
uninstalling such packages will fail. 


1. Click the Resources tab in the Navigator panel. 

2. Choose the resource type you want to add (for example, Reports). 

3. Navigate to and right-click the particular resource you want to add (for example, My Report), and 
choose Add to Package. The system displays the Package Selector dialog. 

4. Select a package to which to add the selected resource and click OK. 
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Supported Package Resources for Content 
Synchronization 

Content synchronization provides the ability to create content in one ESM installation and push this 
content to other ESM installations. With the use of the content management feature, you can establish 
peer relationships and designate the publisher and subscribers. You can then manage packages to be 
pushed automatically or manually. Details on content management are in the ArcSight Command 
Center User's Guide. 

Not all packaged resources are eligible for content synchronization. The table below contains a list of 
resource packages you can push to subscribers. 

Note: It is assumed you have created the package with the contentsync format, as described in 

"Creating or Editing Packages" on page 694. 

Resources Eligible for Content Synchronization 


Resource Notes 

Active channels 


Active lists 

Definition only, not list entries. Subscribers can override with their 
own entries. 

Drilldowns 


Drilldown lists 


Dashboards 


Data Monitors 

Definition only, but not data. Subscribers can override with their own 
data. 

Customers 


Fields 


Field Sets 


Integration Configurations 


Integration Commands 


Integration Targets 


Knowledge Bases 


Notes 

Notes are defined within resources. 

Queries 
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Resources Eligible for Content Synchronization, continued 


Resource Notes 

Query Viewers 


Reports 


Report Templates 


Rules 


Saved Searches 

Created on the Command Center and available on the ArcSight 
Console as resources. 

Search Filters 

Created on the Command Center and available on the ArcSight 
Console as resources. 

Session Lists 

Definition only, but not list entries. Subscribers can override with 
their own entries. 

Trends 

Definition only, but not the events searched by the trends. 

Users 



Exporting Packages 

Exporting enables you to save a package as a file with the . arb extension in the folder of your choice. 
You can use .arb files for backup or to transport them to other systems. 

1 . Click the Packages tab in the Navigator panel and select one or more packages to export. 

2. Right-click and choose Export Package to Bundle. You can export after editing a package by 
clicking the Export button at the bottom of the edit panel. 

3. Enter a file name and folder for the file. Leave the default extension as .arb. 

The act of exporting modifies the package version ID, which is not changed merely by modifying the 
package contents. 

The exported package has reference IDs if the Exclude Reference IDs box was not checked in the 
Package Editor. 

• Reference IDs are not the same as Resource IDs, which are always exported with the package and 
remain unchanged during import. 

• Reference IDs speed things up when importing a package to the same ESM from which it was 
exported, but are harmless when importing into a different ESM. 

Check the Obfuscated box in the package editor before export if you want the contents of the . arb file 
to be encrypted. 
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Importing Packages 

Generally, you perform package imports while ESM is running, because you want the behavior of the 
system to be immediately affected after a package import. Most package imports are small, 
incremental, and are of short duration. However, there can be large package imports, which are later 
followed by periodic incremental changes to the packages. Large package imports can take up to 45 
minutes to an hour. 


Best Practices for Importing Packages 

During the package import, the important features of ESM must be available. Usually, import 
transactions succeed, but some could fail and result in roll backs of large imports. Rollbacks are 
automatic and are generally successful, and the system is returned to the state that it was in before the 
large import was attempted. 

To safeguard your system against failures during large package imports: 

• Perform a full database backup before a large package import. 

• Have high processing power and large heap sizes if you are going to stress the system to a very 
high level. 

• If possible, perform large package imports when the system is less loaded. 

• If the package import fails, you can re-execute the import command and it should succeed. 

By default, if the import introduces a new hierarchy for resources, existing resources will keep their old 
hierarchies. This means you may have duplicate resources. This behavior is being controlled by the 
property called 

esm. manager. disable. resource. move 
By default, it is set to true. 

If you are operating under very high loads, this default behavior can help prevent failure of import for 
large packages. 

If you want your resources to move according to the new hierarchy, add the property to the 
server . properties file and set it to false. 

Refer to the ESM Administrator’s Guide, “Editing Properties Files,” for details on editing the 
server . properties file. 
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To import packages: 

1 . Click the Packages tab in the Navigator panel. 

2. Click the ^ icon to import a package. 

3. Navigate to the location of ESM packages. Choose an .arb file to import and click Open. 

Importing the package copies it into the system where its package resource information is 
compared to any existing package with the same resource ID. 

■ If the version IDs match, the import is aborted because the system assumes the import 
package is not different than the one in the system. (If you changed the one in the system, you 
should export it to give it a new version ID.) 

■ If the version IDs do not match, it continues to the next step. 

4. By unchecking the Install box to the right of each package, you can choose to import a package 
without installing it. The default during import is to install. If you choose not to install an imported 
package, its resources do not appear. You can always install it later. See Installing or Uninstalling 
Packages" on page 705 for details. 

5. Review the Import dialog for any conflicts. Each conflict displays one or more resolution options. 
To resolve a conflict, choose the preferred resolution option and click the OK button next to the 
options window. For more about resolving conflicts, see "Resolving Package Conflicts" on 
page 708. 

6. Click OK to continue. When the import is done, a Summary Report is displayed describing the 
packages that were imported. 


Note: Importing packages created by other users 

Packages, like other resources, are always displayed underthe user folder in which they were 
created. Upon import, the Summary Report shows the URI or full path into which the package 
was imported (for example, Packages Imported: /All Packages/Personal/Somellser ' s 
Packages/VPN Logins Reporting). The import location is not configurable. 

■ If you log in with a different user name and import a package, you may or may not have 
write access to the package (depending on permissions). 

■ If you import the package with a different user name on a Manager that does not include an 
account for the package originator, you cannot see the imported package. 

■ If you recreate an account on the Manager with the same user name as the package 
originator, the imported package reappears. 


Note: Importing packages from Oracle into CORR-Engine 
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If you import a package from an ESM system that uses the Oracle database into an ESM 
system that uses the CORR-Engine, and the package contains trends with daily partitions, 
they are converted to weekly partitions. 


Backing Up and Restoring with Packages 

Although the package resource is the mechanism used to distribute ESM security use cases and 
Solution CIPs, packages are also designed for transporting resources to other systems, such as from 
development to production systems. You can also use packages as a backup mechanism for 
resources on running systems. 

Resources can be part of more than one package. Therefore there are some behaviors associated with 
packages that may seem counter-intuitive and bear consideration. 


ID Checking During Import 

When a package is imported, there are some automatic ID checks: 

1. The system looks for any other existing packages in the system with the same resource ID. This 
is the ID the system gave to the package when you created it. 

■ If there are none, it imports the package and the process ends, unless there is a package in the 
same group with the same name. 

■ If there is another package with the same resource ID, the evaluation goes to step 2. 

2. The system compares the package version IDs for the importing and existing packages that share 
the same resource ID. The version ID is the ID the system gave to the package when the package 
was exported. 

■ If the package version ID being imported matches the package version ID currently installed on 
the system, the package import process stops, because the system assumes that this 
package is already imported. 

■ If the version IDs do not match, the evaluation goes to step 3. 

3. The system checks each resource within the package to see if each version ID matches an 
installed resource with the same resource ID or URI (path and resource name). 

■ If they match, the matching resource is not imported and the system checks the next resource. 

■ If the version IDs do not match, the existing resource is over-written with the one in the 
package being imported, unless you choose to import the package without installing. 
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If you import the package without installing it, the new package resource information is saved in 
ESM as an update and the icon changes to a small white up arrow in the lower left corner (&- ). 


Package Modifications 

A package archive is a system data structure that contains the information defining a package and its 
resources. As you change a package and its resources, this file is not updated until you export the 
package. This enables the package to support the Compare Archive with Current Package 
Contents feature (from the package’s right-click menu). This command allows you to see the 
packaged contents, for both the package last exported (the archive), and the current contents. The 
"Change Since Archive" column shows whether a given resource has been deleted, removed or 
modified. 

When you export a package, the package’s version ID is regenerated, regardless of whether the 
package attributes or any of its resources actually changed. This is not the case with the included 
resources; their individual version IDs only change upon export if the resource itself changed. 

When you create a package, there is no version ID until you export it. Whenever you see a package 
with no version ID, that means there is no exported backup. 


List Data 

Active lists and session lists have two different uses as part of a package, and these affect how you 
would export the lists for backup purposes: 

• The other resources in the package use the list to store data. The data is generated and used at run 
time. If, when you export the package, you do not need to save the data that accumulated in the list 
from the last run, use the Export package format. 

• The list contains data that other resources in the package, such as rules, need specifically. If, when 
you export the package you must save the content of these lists, use the Default package format. 

If you have a package containing some lists used only as containers and others with specific 
necessary data, use the Default format. The container lists would import again with data you do not 
need, but it is better than losing data you do need. Alternately, you could put the lists with required data 
into a second package using the Default format, and make this new package required for the first 
package, which uses the Export format. 


Backup and Restore Summary 

The version ID changes affect the results when importing a package in an effort to restore an existing 
package to a previous state. 
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• The system does not import a package backup if the version IDs of the package resource match. 

• To make the existing system have a different version ID than the backup, you must export it again 
(being sure not to overwrite the backup you want to restore). 

• If the existing package is bad and you have a good backup, you can always delete the existing 
package and then import the backup package. 

• If you create a package that includes a top-level resource group (All Actors, for example), so you 
can back up the entire group, export the package often enough that all the recent changes are 
captured. If you ever delete such a package, it deletes the top-level group and every resource that 
has been added to the group, regardless of whether those new resources were added to the 
package. Be careful. Consider using the Children Only option. 

• Generated version IDs do not identify which version ID is newer. For packages with the same 
resource ID, the system can only tell whether their version IDs are the same or different. 

• To revert back to the last version imported, you must either delete the existing package or export it 
to some other location. Doing so sets a new version ID and places the export so as not to overwrite 
your backup. The backup package can now overwrite the existing package when you import it. 

• Changing the name of an .arb file does not change the name, resource ID, or version ID of the 
package. 

• If you currently have a package with version 1.1, and you want to import the backup package with 
version 1 . 0 , there may be conflicts or other issues. See "Resolving Package Conflicts" on 

page 708. 


Installing or Uninstalling Packages 

If you leave the Installed checkbox unchecked when you create a package, it is uninstalled. 

Uninstalled packages are not shown in the Normal view of the package tree. If you choose not to install 
a package when it is imported, and there was no other package with the same resource ID, the 
uninstalled package is essentially the same as a new uninstalled package. 

However, if you imported a package for which there was already one in the system with the same 
resource ID, but a different version ID, and you chose not to install it, the system has two different data 
sets for it. The existing package could be installed or uninstalled, but its Update Available attribute is 

now checked, which is indicated by an icon with a small white up arrow in the lower left corner (&- ). 

To install packages: 

Caution: Packages can contain thousands of resources, therefore, installation may become a 
long-running transaction, up to 50 minutes or longer. While package installation is running, do not 
use the same administrator login to access and perform other administrative tasks on the Console 
or Command Center. Other administrator logins may access the Console or Command Center at 
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this time, however, avoid running package installations concurrently with other administrators. 


1 . Click the Packages tab in the Navigator panel. Locate the uninstalled package with the grayed out 
icon ((3). 

2. Right-click the uninstalled package that you would like to install and choose Install Package. 

3. Review the dialog for any conflicts. Each conflict displays one or more resolution options. To 
resolve a conflict, choose the preferred resolution option and click the OK button next to the 
options window. For more information, see "Resolving Package Conflicts" on page 708. 

Wait for the package installation to complete. 

To uninstall packages: 

Tip: While uninstalling a package, you might encounter a message that the package has a number 
of locked resources, and therefore cannot be uninstalled (or deleted, if you are deleting the 
package). Resources can be explicitly locked by their creators. Locked resources can also be 
system resources that are shared with other resources, and therefore cannot be uninstalled. There 
are two options: 

. Unlock the user-created resources after verifying that the resources should be uninstalled with 
the package. 

• If the locked resource should not be uninstalled, choose to skip the shared resources and 
proceed with uninstalling the package. 

In the future, you may decide to exclude locked resources and shared system resources from any 
package to avoid this conflict. 


1 . Click the Packages tab in the Navigator panel. 

2. Right-click the package to be uninstalled. The icon for installed packages is: B. Select Uninstall 
Package. (This command is disabled if the package is already uninstalled or if it is locked.) 

Uninstalling a package changes its icon appearance as grayed out, but the package remains in the 
system and can be installed again. 

The resources that were in the package are removed from the system, even if they are also in another 
package. However, the details of these deleted resources are retained within the uninstalled package. 
When you reinstall the package, these resources are restored. Furthermore, they are also restored to 
whatever other packages they were in when you uninstalled this package. 

You cannot add resources to an uninstalled package. 
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Deleting Packages 

Caution: Before you delete packages, read the following information: 

. Deleting a package that contains resources that maintain state — active lists with values, 
session lists, or trends — deletes the state information as well. 

• When resources within the package are deleted, they are deleted even if they are contained in 
another package. Furthermore, if you delete a package that is required in another package (its 

icon has a red mark in the upper-right corner: 1 — ). The dependent package is useless without 
it, and is also deleted, along with all the resources in that dependent package. 

. Before deleting a package, make sure the package excludes system resources, otherwise, 
these resources are deleted unless they are locked or they belong to a locked group. This can 
cause some serious problems especially when the system resources are Zones. If any system 
resources were deleted because the package in which they were included was deleted, re- 
import the package, edit the package so that system resources are excluded, then delete the 
package again. 

. If there is even the slightest chance that you might need a deleted package or any of its 
resources at some point in the future, export it before deleting it. 

• f you want to delete a package but not necessarily all the resources within it, remove the 
resources you want to save before you delete the package. 


1 . Click the Packages tab in the Navigator panel. 

2. Right-click the package to be deleted and choose Delete Package. 

3. Confirm that you want to delete the specified package. 

4. If the package is still installed, you have the option to Remove Resources in Package or Leave 
Resources. If you Leave Resources, only the package itself is deleted. The resources that it 
contained remain in the system resource tree. If you Remove Resources, all resources that the 
package contained are deleted from the system resource tree. 

If the package is uninstalled, its resources have already been removed from the system, but 
deleting the package means these resources can no longer be restored. 

See "Backing Up and Restoring with Packages" on page 703. 
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Removing Resources from Packages 

1 . Click the Packages tab in the Navigator panel. 

2. Right-click the package to be edited and choose Edit Package. The Package Editor opens in the 
Inspect/Edit panel. 

3. Click the Resources tab in the Package Editor. 

4. In the upper half of the Resources tab, select the resource you want to remove. (A gray highlight 
on the entire row indicates the resource is selected.) 

5. Click Remove. 


Resolving Package Conflicts 

Package conflicts can occur during install, uninstall, deletion, or importation of packages. Most 
package conflicts are resolved internally by the ArcSight Manager without the need for user 
intervention. However, some package conflicts prompt the administrator for an appropriate action from 
a list of options. This section describes two of these scenarios as examples. 

If the ArcSight Manager detects package conflicts fora pending package uninstall, the Console 
provides choices for resolving the conflict and proceeding, or aborting the uninstall operation. The 
options provided depend on the type of conflict detected. 


For example, if you attempt to uninstall a package that changed since it was installed, the conflict is 
indicated and you are asked to choose from the following Uninstall Resolution Options. 


Option 

Description 

Create a new archive for package 

Creates a new archive for the modified package (and 
retains the original). 

Create new archive for remaining 
changed packages 

Creates new archives for all changed packages before 
uninstall (retains all originals). 

Continue without saving changes 

Uninstalls this package without saving changes. 

Uninstalls this and remaining packages 
without saving changes 

Uninstalls all selected packages without saving 
changes. 

Abort 

Abandons the uninstall process and keeps the 
packages as is. 


If the ArcSight Manager detects package conflicts for a pending package import or install, the Console 
provides choices for resolving the conflict and proceeding, or aborting the import operation. The options 
provided depend on the type of conflict detected. 


HP ESM (6.9.1c) 


Page 708 of 1106 


ArcSight Console User's Guide 
Chapter 26: Managing Packages 


For example, if you attempt to import a package with content that is older than the currently imported 
package, the conflict is indicated and you are asked to choose from the following Import Resolution 
Options: 


Option 

Description 

Leave newer packages 

Leaves the newer packages installed. 

Never override newer 
packages 

Completes the import but imports only packages that are newer than those 
currently installed. 

Update packages 

Imports the selected packages, and prompts for package conflict 
resolutions on a per-package basis. 

Always update 
packages 

Imports the selected packages, and overwrites newer packages if they 
exist. 

Abort 

Abandons the uninstall process and keeps the packages as is. 


See the Administrator's Guide for more information on working with the archive command and other 
utilities. 
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The Pattern Discovery feature of the ArcSight Console is activated when you get a license for the 
Threat Detector solution package. Pattern Discovery enables you to discover previously unknown 
patterns, which might pose a threat, and view them for analysis. 

Pattern Discovery requires a separate license. Check your license agreement before using this feature. 
Topics include: 

• "Pattern Discovery Overview" below 

• "Pattern Discovery Life Cycle" on page 713 

• "Creating or Editing a Profile" on page 713 


Pattern Discovery Overview 

When finding threats by matching events against rules, you have to know the threat characteristics and 
create a rule that matches them. ArcSight Pattern Discovery enables you to search for threat patterns 
with known characteristics as well, but you can also find unknown patterns, where the only 
characteristic you specify is that the transactions are related and repeat. 

The purpose of Pattern Discovery is to: 

• Effectively search streams of potentially millions of events for patterns, which are simply repeating 
sequences of related events. 

• Establish a baseline of patterns that represent normal event traffic and filter them out. 

• Analyze what remains for threats. 

In this way you can discover and investigate patterns that might represent new threats or threats 
whose characteristics are not known to you. 


What Pattern Detection Provides 

Pattern Discovery can automatically detect subtle, specialized, or long-term patterns that might 
otherwise go undiscovered in the flow of events. You can use Pattern Discovery to: 

• Detect day-zero attacks: Pattern Discovery profiles are general enough that they can discover 
patterns that have never been seen before. 

• Detect low-and-slow attacks: Low-and-slow attacks involve fewer events over a longer period. 
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Profiles with longer time periods can capture these patterns. 

• Automatically create rules: You can transform patterns into a rule set that is unique to your 
environment and more accurate than generic predefined rules. 

• Discover normal patterns: New patterns discovered from current network traffic are like 
signatures for a particular subset of network traffic. You can specify which patterns are normal so 
that matching patterns can be eliminated as a threat. 

• Save a history of threat patterns: Pattern Discovery can use event patterns that originate from or 
target an asset to categorize those assets. For example, a pattern of events from a machine that 
has an unauthorized program initiating a connection to an attacker (a back door) can be shown as a 
cluster. If you see this pattern originating from a new asset, it is a strong indication that the new 
asset also has a back door installed. 

Use Pattern Discovery for preventive maintenance and early detection in your security management 
operations. Using periodic, scheduled analysis, you can continuously scan for new patterns over 
varying time intervals to stay ahead of new exploits. 


Pattern Components 

Events in a pattern share one or more common field values. For example, they could share the same 
source and target IP addresses, ports, host names, or other data. 

The Pattern Discovery algorithm examines event components and identifies groups of related 
components as transactions. Discovered patterns list the components involved and the transactions 
containing common components. This data is output as a pattern resource. Components can relate to 
one another in several ways: 

• Related by session: Session refers to a unique pair of source and target addresses. The events for 
which this pair are the same are in the same session. 

• Together in a sub-stream: The event stream can be divided into sub-streams using a “group by” 
operation on a subset of event fields. This step can also take time of occurrence into account. 

• Together in time: All the components occur together in a small time window. 

Event components with some kind of relationship are grouped together as transactions, which then 
become potential candidates for patterns. The Pattern Discovery algorithm processes all the 
transactions it finds and produces patterns, depending on whether they satisfy one or more conditions 
that make them discernible as patterns. 

Event components are subdivided into transactions in two major ways: time-based division, and event 
field-based division. These two methods can be combined. 

Time-based division is based on timing constraints, and is very similar to the constraints used in 
defining rules. For example, the system creates a transaction at every division of an event stream. The 
event stream can be divided depending on the rate of occurrence of events and changes in those rates. 
This works well for dividing event streams that display events in bursts of activity. 
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Event field-based division is very similar to doing a “group by” operation on event fields. Every related 
group of events is a sub-stream of the original stream of events. For example: 

• Based on source, target address, and port: Suppose there are three distinct source addresses 
in the event stream. After doing a “group by,” three sub-streams are generated, each one originating 
from and corresponding to a unique source address. 

• Based on source and target address: In this case, all the events that have the same source and 
target address belong to the same sub-stream. 


How Pattern Discovery Works 

Once the event stream is divided into transactions, Pattern Discovery identifies and groups events that 
occur together in multiple transactions. These events are sub-grouped by support level, which is the 
number of times that event occurred with its related events. A higher support number means that a 
pattern has occurred more frequently than others. 


For example, consider the separate grocery purchase transactions, below. Several patterns emerge: 
Bread, butter, and jam were purchased together; as were milk and cereal. An analyst can draw 
conclusions from those patterns: these shoppers intend to make toast, or have cereal. Bread and 
strawberry jam also appear in two patterns and are a sub-pattern. 





You can mask patterns you consider normal traffic so the system recognizes them and does not 
reevaluate them. For potential threat patterns that you want to watch for, you can build a rule based on 
the pattern characteristics. When the pattern occurs, the rule triggers an action, such as notifying a 
group of users or running a command script. 
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Pattern Discovery Life Cycle 

The creation and use of Pattern Discovery consists of three phases: 

• Create a profile (see "Creating or Editing a Profile" below) 

• Generate snapshots (see "Taking a Snapshot" on page 723) 

• Investigate patterns (see "Investigating Patterns" on page 729). 


Use these options to analyze and respond to the patterns you discover in snapshots. 


Option Usage 

Create Rule 

Use the Rules Editor to create a rule from a detected pattern of events or a selected 
event-level in the pattern hierarchy. 

Show 

Related 

Events 

Open a new channel filtered with a matchesPattern operator that uses the whole 
pattern, or event-levels, as its argument. 

Show Event 
Graph 

Graph the complete pattern or a selected event-level in the pattern hierarchy, to 
analyze using the ArcSight Console's visualization tools. 

Inspect 

Pattern 

The Pattern Inspector shows details, and you can click the Actions button to apply 
the options described in this table. 

Investigate 

You can create an active channel, or add a filter to the editor, using (or not using) the 
name of the selected event item in the pattern. 

Tools 

Choose one of the network tools ArcSight provides to explore the origin of the 
selected event item. 

Annotate 

Pattern 

You can mark the pattern with a workflow collaboration Stage and Assign it to a user 
for filtering by Stages and Users resources. 


Creating or Editing a Profile 

A profile is a set of filters that define what fields to include in your pattern search, and the scope and 
properties of a pattern. It also specifies the time period to search. Profiles can be general or specific. 
Typically you would use several different profiles to define the parameters of snapshots, which collect 
all the events in the specified time frame and evaluates them according to the filters set in the profile. 
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To create a new profile: 

1. In the Navigator panel, goto Pattern Discovery and click the Profiles tab. 

2. Expand the Profiles resource tree. 

3. If you are creating a profile, right-click a group in the resource tree and select New Profile. 

If you are editing a profile, choose the profile you want to modify. 

4. In the Inspect/Edit panel on the Profile Editor Attributes tab, you can modify most of the values 
(described below) and click Apply. Some values, such as version ID, are set by ArcSight and are 
not editable. 


Profile Attributes 


Property 

Usage 

Summary 

A profile summary appears below the Attributes tab. The underlined items are 
values entered in the fields below. 

Profile 

Name 

Enter a descriptive name for your profile 

Minimum 

Pattern 

Length 

Type or use the up/down arrows to select the minimum number of unique 
associated events necessary to qualify the events as a pattern. The default 
value is 2 events. 

Minimum 

Pattern 

Occurrences 

Type or use the up/down arrows to select the minimum number of times for an 
event-association of the specified length to reoccur in order to qualify as a 
pattern. 

The default value is 2 occurrences. 
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Profile Attributes, continued 


Property Usage 

Start Time 

Select a time stamp expression for the snapshot start time. Expressions are 
described below. 

■ $Now 

The current time in the format hh:mm:ss. 

■ $Now - lh 

The current time minus 60 minutes. 

■ $Now - Id 

The current time minus 24 hours. 

■ $Now - lw 

The current time minus 7 days. 

■ $Today 

The start of the current day (12:00:00). 

■ $Today - Id 

The start of the current day at midnight (12:00:00) minus 24 hours. In other 
words, the start of yesterday. 

■ $CurrentWeek 

The start of the current week (Sunday 12:00:00). 

■ $CurrentMonth 

The start of the current month (the 1st 12:00:00). 

The format of start time is $Now-<time>. The time is in increments of hours, 
days, weeks, or months. 

End Time 

Use the $Now drop-down menu to select a timestamp expression for the 
snapshot end time. The formats are the same as for Start Time, above. 

Events 
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Profile Attributes, continued 


Property 

Usage 

Event 

Fields, 

You can select one or more of these (event field, source, and target) for the 
pattern portion snapshot to display. Click in the data entry area and then click 

Source, 

drop-down menu to see the field’s chooser. 

T arget 

In the Available Fields area, click the tab from which you want to choose, you 
can select one or more: 

■ Field Sets. 

■ Local variables you created for this profile (see "Creating Local Variables" on 
page 721). 

■ Fields and global variables that are relevant to a Pattern Discovery profile. 

In the Selected Fields section: 

■ Use the up and down arrows to specify the order in which they appear. 

■ Use the green alias icon to create an alias version. 

■ Use the red X icon to remove one from the list. 

■ You cannot specify date/time fields. 

■ If you are going to add fields to a list, those fields must appear in this section 
(except the End Time field, which does not have to be here). 

Restrict by 
Filter 

Click the All Events drop-down menu to choose a filter from the Filters resource 
tree. The filter restricts the pool of events from which the snapshot is 
constructed. 

Advanced 

The check boxes in this section instruct the snapshot to capture elements 
pertaining to time, which can lend vital insight to a pattern. 

Tip: If you want to improve query performance and you don’t need these options, 
leave them unchecked. 

Record Time 

Order 

This advanced option includes the time sequence of the events contained in 
patterns. For example, for a three-event pattern, it could record that A-B-C 
occurred 40 percent of the time, B-A-C 35 percent, and A-C-B 25 percent. 

Because event sequences can reveal intent, you can detect and act upon 
certain kinds of activity even sooner. 
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Profile Attributes, continued 


Property 

Usage 

Split on 
Inactivity 

This advanced option detects potentially meaningful decreases in activity 
between duplicate source/target pairs. 

It creates a break if there is a pause or significant drop in the number of times a 
particular pattern occurs. This treats occurrences of the pattern on either side of 
the break as separate instances. 

On analysis, a split on occurrences of the same source/target pairs means that 
there was a slow-down or break in occurrences. This enables you to discover 
patterns that happen repeatedly for one source/target pair. 


Discovery Results 


Snapshot 

Retention 

Time 

Click the drop-down menu to select how long you want the system to save a 
snapshot and its series of events. Snapshots retain all the needed components 
of the events and make them available during analysis. For example, when you 
drill down in an event and select “Show related events,” the events saved within 
the time frame set here will be searched for matches. 

The default retention time is 7 days. 

Snapshot 

Group 

Choose a group in the Snapshot resource tree in which to store the resulting 
snapshots. By default, the system adds the snapshot to the same folder you 
right clicked to add the profile. 

Pattern 

Group 

Choose a group in the Patterns resource tree in which to store the resulting 
patterns. By default, the system adds the pattern to the same folder you right 
clicked to add the profile. 

Common 


External ID 

An identification string suitable for, and which can be referenced by, systems 
outside ArcSight. Common applications of External IDs include appropriate 
naming for Case and Asset resources that are tracked in common with defect 
reporting or vulnerability-management systems. Your ArcSight administrator can 
advise you on the correct values for this field, if applicable. 

Alias 

An identification string suitable for referencing resources within ArcSight. A 
given alias appear in place of the resource's name everywhere it may be seen. 
Your ArcSight administrator can advise you on the correct values for this field, if 
applicable. 

Version ID 

If this profile came in a package or if you have exported it to a package, this is 
the package’s version ID. 

Description 

A text description of the profile. 
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Profile Attributes, continued 


Property 

Usage 

Assign 

Owner 

The user with responsibility for the profile. 

Notification 

Groups 

The user groups to notify concerning changes to a profile. 


To copy and paste a profile to another folder, select the profile to copy. Go to Edit | Copy (Paste) or 
use Ctrl + C (V). 

To use one of these profiles, see Taking a Snapshot" on page 723. 


Specifying Actions 

The Actions tab enables you to select a trigger, then specify the action to take when that trigger 
occurs. 

To specify an action: 

1 . Open the profile in the profile editor (double click the profile in the Navigator panel). 

2. In the Inspect/Edit panel, click the Actions tab. 

3. Before you add an action, specify when to take the action (the trigger). Select one of the following 
trigger options: 


Trigger 

Option 

Description 

On Pattern 

Discovered 

This specifies that the action be taken the first time a new pattern appears. 

Choose this option for assigning new patterns to an analyst to investigate. 

On Pattern 

Re- 

discovered 

This specifies that the action will be taken if a new pattern is repeated. Choose 
this option for ongoing operations. 


4. Click Add and select one of the following options: 
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Pattern Discovery Actions 


Action 

Option 

Description 

Annotate 

Pattern 

In the dialog box, enter the following values and click OK: 

■ Select a Stage from the drop-down menu. 

■ Assign a user from the drop-down menu. 

Set Event 

Field 

In the dialog box, enter the following values and click OK: 

■ Select a Field Set (or domain field set you created) from the drop-down menu. 

■ In the event fields grid, set values for the event fields you are interested in. 

Send 

Notification 

Specify a notification group in the Notification Group drop-down menu. 

■ Click Ack Required if those notified should acknowledge that they received 
notification. 

■ Write the message to send in the Message field. 

Execute 

Command 

In the dialog box, enter the following values and click OK: 

■ Select an operating system platform from the drop-down menu. 

■ Enter the command string. Use correct syntax; the system does not validate 
command strings. 

■ Enter required parameters. For example, the archive tool needs the manager 
name, administrator name, and password. Specifying them lets the system 
execute the command without user intervention. 

■ In the Action Type drop-down menu, select one of the following: 

Automatically run on manager: Initiates the command with no user 
intervention. 

Run on Manager with Console confirmation: Displays a confirmation 
dialog box in the ArcSight Console for the designated user before the 
command is initiated. 

Run on connector(s): Sends the command to the connectors that report the 
events. 
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Pattern Discovery Actions, continued 
Action 


Option 

Description 

Execute 

Connector 

Command 

Specify a command to be executed at the SmartConnector reporting the events, 
such as pause or stop/start event flow. Enter the following values and click OK: 

■ 1 n the Connector drop-down menu, select the SmartConnector to execute the 
command. When you select an connector, the command field is populated 
with the commands available for that connector. 

■ In the Command field, select the command for the connector to execute. The 
command may contain required parameters. 

Export to 

External 

System 

You can export the pattern to an external tracking system, such as BMC 

Remedy, if you configured it to operate with ESM. Click OK. 

Active List 

You can add (or remove) a pattern to an active list, where its event details are 

available to other correlation tools for reference. 

■ To add a pattern to an active list, select Add to Active List. In the dialog box, 
select an active list from the drop-down menu and click OK. 

■ To remove a pattern from an active list, select Remove from Active List. In 
the dialog box, select an active list from the drop-down menu and click OK. 

■ You cannot add fields to an Active List f they are not present in the Events 
section of the Profile. 

■ You cannot add any date/time-based fields to an Active List since data/time 
fields cannot be included in the Events section of the profile. 
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Pattern Discovery Actions, continued 


Action 

Option 

Description 

Session 

List 

You can add a pattern to a session list, or terminate a session list based on a 
pattern, where its event details are available to other correlation tools for 
reference. 

■ To add a pattern to a session list, select Add to Session List. In the dialog 
box, select a session list from the drop-down menu and click OK. 

■ To terminate a session list, select Terminate Session List. In the dialog box, 
select a session list from the drop-down menu and click OK. 

■ You cannot add fields to an Session List if they are not present in the Events 
section of the Profile. 

■ You cannot add any date/time-based fields to an Session List (except 

EndTime) since data/time fields cannot be included in the Events section of 
the profile. The End time displayed in the Add to Session List action is the time 
the entries are added to the session list. 


5. The action summary will be displayed in the Actions tab. To remove lines that are not used, click 

Hide Empty Triggers. 


Creating Local Variables 

Click the Local Variables tab to manage local variables for this profile. These are available to select 
from the drop-down menu on the Attributes tab for Event Fields, Source, and Target attributes 
associated with the pattern. 

From this tab you can: 

• Add a new variable, which enables you to 

■ Name the variable 

■ Specify a function (expression). 

■ Specify the arguments. Available arguments depend on the function. 

• Edit an existing variable 

• Remove a selected variable 

• Make a variable global, which means it is available to resources outside this profile. If you make a 
local variable global, it moves it from the Local Variables tab to the Fields and Global Variables 
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tab in the chooserfor Event Fields, Sources and Targets, on the Attributes tab. 

For more information on using local and global variables, see "Variables" on page 1069. 


Pattern Discovery supports the following variable return data types: 


• Byte 

• Long 

• Double 

• Resource ID 

• Enumeration 

• String 

• Integer 

• Address 


Therefore, function variables that return an unsupported data type are not supported. For example, the 
following functions or function categories are not supported: 

• Non-SQL-mode variables. 

• Variables that return a list, such as ActorByAccountID.AccountID and variables that operate on 
multi-mapped active lists or overlapping session lists. 

• Variables that return a boolean value, such as the Category Model function hasRelationship. 

Adding Notes 

You can keep track of changes made to a profile using the Notes feature. 

To add a note: 

1. In the Profile Editor, click the Notes tab. 

2. In the Notes field, enter a note and click Save to log it in the Table/List tabs. 

3. You can view notes as a table or as a list by toggling between the Table and List tabs. Re-order the 
table view by clicking the column header. 

Deleting a Profile 

1. In the Navigator panel, goto Pattern Discovery and click the Profiles tab. 

2. Right-click a profile in the resource tree and choose Delete Profile. 

Caution: You can delete or modify a profile if it has patterns and snapshots derived from it. 
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However if you delete it, the patterns and snapshots that are derived from it no longer work 
and are not removed. If you modify it, they may not work as expected. Delete such patterns 
and snapshots when deleting their profile. 


3. Click Delete in the confirmation dialog box. 


Taking a Snapshot 

A snapshot is a record of qualifying events that occurred over a specified period of time and evaluated 
according to the snapshot profile. When the Pattern Discovery algorithm runs on the specified data set, 
it displays the result as a graphic, which you can use for investigation and analysis. 

You can generate snapshots manually, or run them on a schedule. You are likely to generate snapshots 
more frequently during the early stage of implementation, when you are establishing a baseline of 
normal patterns. Each snapshot is stored in the Navigator panel in Pattern Discovery on the 
Snapshots tab. 

You can also discover patterns directly from active channels. Right-click a channel in the Navigator 
panel and choose Discover Patterns. 

To take snapshots: 

1. In the Navigator panel, goto Pattern Discovery and click the Profiles tab. 

2. Right-click a profile in the resource tree and select Take Snapshot. 

3. In the Viewer panel, the system processes the snapshot request and shows each process as the 
Pattern Discovery engine runs: 


0 

Pattern discovery run scheduled. 

Done! 

0 

Building snapshot from events. 

Done! 

0 

Saving snapshot. 

Done! 


Extracting patterns from snapshot. 

Extracting patterns from snapshot. 


4. When the process finishes, the system displays the snapshot in the Viewer panel. The views are 
linked; click a node in the snapshot view to see its details in the patterns view. 
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Tip: If the pattern is empty, no events passed the profile’s filter restrictions during the 
specified period. Adjust these profile specifications and generate the snapshot again. 


Exploring a Snapshot 

Here is an example of a snapshot: 
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Snapshot view 


Pattern view 


The upper part of the Viewer panel presents the snapshot view, which shows a hierarchy of related 
event nodes. 

The lower part of the Viewer panel is the patterns view, which shows blocks of events from the 
hierarchy that are most closely related. Each block of events represents one specific path through the 
pattern hierarchy. 

The example shows two patterns and a demarcation point (between support = 45 and support= 18). The 
top two events are the SQL worm. The last event is generated by the system. Pattern Discovery 
classified 18 of 45 sources as suspicious. There are 27 sources that ran the slammer worm in the 
network, but they were not added to the suspicious list. This discovery enables you to investigate why 
all 27 systems were not caught by the other surveillance mechanisms in place on your network. 
Determining that will help you to tighten your network security. 

The “support” value for each node is the number of times that event occurred with its related events. 

The higher the number, the higher the item appears in the hierarchy. For example, in the diagram below, 
there are two points at which there are sharp differences in support from one item to the next. This shift 
is called a demarcation point, and indicates a sub-pattern in a longer sequence. 
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The demarcation points (encircled in the figure below) indicate attack stages, and sometimes variations 
of the same type of attack on different network systems. For example, the SQL worm propagation 
attempt makes up 1000 of the 1122 hostile attempts. The demarcation point in the center of the graphic 
shows that there are two variations: attack from suspicious source, and UDP Packet tcpdump. This 
can indicate how different systems process the same type of SQL worm attack. 


Snapshot 
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path overflow a.. 
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Demarcation point 


Demarcation point 


Arranging Elements in Graphic View 

Use the buttons across the top allow you to zoom in, zoom out, and arrange the elements in different 
formations to give you better visibility of the overall pattern. 


Tools for Rearranging Graphic Elements 

Button Control 

Description 

m 

Fit 

Content 

Sizes the graphic to the available display space. 


Zoom in/ 

Zoom Out 

Increases or decreases the size of the displayed graphic. 



SJ 

Zoom 

Selected 

Zooms in on a selected portion of a graphic. 
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Tools for Rearranging Graphic Elements 

Button Control Description 

31 

Hierarchic 

Layout 

Presents nodes in a vertically descending cascade, similar to a family tree. 
Hierarchic layouts are appropriate when viewing relationships with a common 
root. 

SI 

Organic 

Layout 

Arranges nodes based on minimum edge length, which tends to cluster items 
with a common relation. Clusters with items in common also tend to group 
together. 

m 

Circular 

Layout 

Hub-and-spoke arrangements with each node radiating edges to, or receiving 
edges from, the items with which it interacts. 

Circular layouts are most useful when multiple roots are present or there are a 
number of source-target relationships to clarify. If an organic layout is difficult 
to read because the edges are too dense, try a circular layout. 

i 

Orthogonal 

Layout 

Arranges items on the basis of logical connections, using electrical 
schematic-style right-angle layouts. These layouts are useful for clearly 
tracing connections and identifying node clusters. 

m 

Overview 

Opens a reduced rendering of the entire graph. You can drag the highlighted 
section in the reduction to move the displayed area in the main view. 


In addition to the control buttons, you can drag items around in the Viewer panel while maintaining the 
connections. This can make the view clearer for overlapped items. 


Scheduling a Snapshot 

You can schedule a snapshot to betaken at intervals. The schedule frequency can be part of your daily 
analysis and operations. For example, as a best practice, you can run Pattern Discovery once a day to 
capture event patterns that happened over the last 24 hours. You can specify a longer period to find 
patterns with a longerterm. Tofuily automate daily Pattern Discovery, add actions to a schedule, such 
as sending notifications, opening cases, or adding systems to an active list, if certain conditions are 
met. 

1. In the Navigator panel, goto Pattern Discovery and click the Profiles tab. 

2. Right-click a profile in the resource tree and select Schedule Snapshots. 

3. On the Jobs tab, click Add. 

4. In the Summary field at the bottom, select Click here to set up schedule frequency. This 
activates the Job Frequency dialog. 
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5. Click OK when you have set the frequency and time range. 

6. Repeat as required to add more schedules for the same snapshot. 

7. When you have added all the schedules for this snapshot, click OK at the bottom of the Jobs tab. 

8. To add an action to betaken every time the profile is run, specify an action in the Actions tab of the 
profile editor, as described in "Specifying Actions" on page 718. 

Re-opening a Snapshot 

If you have closed a snapshot in the Viewer panel, you can re-open it. 

1. In the Navigator panel, goto Pattern Discovery and click the Snapshots tab. 

2. Navigate to the snapshot graph. Right-click the snapshot and select Show Snapshot. 

When the snapshot's graphic has formed in the Viewer panel, you can click the icons at the top of the 
view to change its layout as described in " Visualizing Resources" on page 676. 

Deleting a Snapshot 

1. In the Navigator panel, goto Pattern Discovery and click the Snapshots tab. 

2. Right-click a snapshot in the resource tree and choose Delete Snapshot. 

3. Click Yes to confirm the deletion. 
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Investigating Patterns 

When you take a snapshot, the Pattern view shown in the snapshot is also saved in the Patterns tab of 
the Pattern Discovery resource tree. You can use the Patterns tab to access more event investigation 
tools. 


Investigating Patterns in the Snapshots View 

Pattern Discovery gives you access to investigative tools from a series of buttons. These same tools 
are available from the right-click menu. The snapshot view and the patterns view offer most of the 
same investigative tools with a few specific differences. Right-click on any item in the graphical 
Snapshots view to open a new window within the snapshot view that contains details about the related 
events: 


Right-Click Options for Pattern Investigation 


Right- 

Click 

Option 

Description 

Show 

related 

events 

Opens a new active channel in the Snapshots tab, filtered with a matchesPattern 
operator. This channel uses the pattern, or selected event-level in the pattern hierarchy, 
as its argument. 

To toggle back to the graphic view, click the Snapshot tab at the bottom of the 
snapshot Viewer panel. 

Investigate 

Creates a channel in a grid view that contains the associated events sorted according 
to Attacker Address, Name, and Target Address. 
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Right-Click Options for Pattern Investigation, continued 


Right- 

Click 

Option 

Description 

Tools 

Configure... includes the following options, and can be accessed directly through the 
larger Tools menu: 

• Nslookup - Resolves an IP address to a host name (domain name) and vice versa. 

• Ping - Determines whether a particular IP address is online and/or it tests and 
debugs a network by sending a packet and waiting for a response. 

. Portlnfo - Lists standard usage such as WWW or FTP for a specified port number. 

. Traceroute - Shows the path from the ArcSight Console to the IP address selected 
in the grid view, reporting the IP addresses of all routers in between. 

• WebSearch - Search the Web through Google to find links to the keywords present 
in currently selected active channel grid view cells. 

. Whois - Looks up who is behind a given domain name; information might include 
addresses and telephone numbers. 

• Results - provides the results of running a network tool using the attributes of the 
selected pattern block 

For more information about network tools, see the online Help. 

Create 

Rule... 

Launches a Rules Editor in the Inspect/Edit panel. The rule you create here is stored in 
the Rules resource tree under the personal rules of the user who created it. 

For instructions about how to construct a rule, see 'Creating Rules from Patterns" on 
page 735. 

Show 

Event 

Graph 

Displays the pattern as an event graph, which shows pattern components and their 
relationships in graphic form. For more information about ESM event graphs, see the 
online Help. 

Show 

Allows you to reset the graphic view with the following options: 

. Show all nodes - Displays the entire snapshot graphic. This is helpful if you have 
drilled down and wish to re-display the original snapshot. 

. Show all nodes containing selected items - Displays only the event hierarchy 
that contains the selected item. 

• Hide all nodes containing selected items - Displays all the event hierarchies 
that do not contain the selected item. 


The following example in shows our sample pattern displayed as an event graph. To save space, the 
event graph consolidates items that have many members. In this case, the sample on the left shows 
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the source address nodes consolidated into a single cluster with a single line representing the 
connections to each of the event name nodes. 

To see the details and number of these connections, as shown on the right, uncluster the node by right- 
clicking the node and selecting Uncluster selected nodes. 
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Source addresses unclustered 
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Toggle between multiple views in the Snapshot window using tabs. Unclustering the source address 
nodes allows you to see the details of those nodes. 

When you use the right-click menu to open a new view, it displays in a new tab within the snapshot 
pane. Use the tabs at the bottom of the pane to toggle between the views. 

To close tabs in the snapshot view, right-click the tab at the bottom and select Close. 

To rearrange open tabs in snapshot view: 

1. Use the down arrow (O) to tile the open tabs horizontally, vertically, or to fit. 

2. To select different views on an event graph, use the I ::<r J button. For details about viewing event 
graphs, see the online Help. 


Investigating Patterns in the Patterns View 

You can re-open just the patterns view part of the snapshot in the Viewer panel. 


HP ESM (6.9.1c) 


Page 731 of 1106 


ArcSight Console User's Guide 
Chapter 27: Pattern Discovery 


1. In the Navigator panel, goto Pattern Discovery and click the Patterns tab. 

2. Select one or more patterns in the resource tree, right-click the selections and choose View 
Pattern. This opens the Pattern pane in the Viewer panel. 

3. You can take the same actions on the Pattern view as described in "Investigating Patterns in the 
Snapshots View" on page 729. 


In the Patterns view, you can click the Actions button or right-click a pattern, where you have the 
following options: 


Right- 

Click 

Button Option Description 

tftr 

Inspect 

Pattern 

Opens the Pattern Inspector in the Inspect/Edit panel. For more 
information, see "Inspecting Patterns" on the next page. 

B 

Create 

rule from 

Pattern 

Launches a Rules Editor in the Inspect/Edit panel. The rule you create here 
is stored in the Rules resource tree under the personal rules of the creating 

user. 

For instructions about how to construct a rule, see "Creating Rules from 
Patterns" on page 735. 

0 

Annotate 

Pattern 

Click this to open the Annotations dialog box. This allows you to escalate a 
pattern to another user for further investigation. For more information about 
how to annotate a pattern, see "Annotating Patterns" on page 737. 

Show - 

Event 

Graph 

Displays the events as an event graph, which shows interactions between 
two or more devices. 

For more information about how to use ESM event graphs, see the online 
Help. 

Show - 

Related 

Events 

Click this to open a grid view of the events contained in the Pattern 

Discovery snapshot. 

Investigate * 

Create 

Channel 

Creates a channel based on the selected pattern block. 

Investigate * 

Add 

Condition 

to Editor 

Enables you to edit the condition statements associated with this pattern 
block. 


Viewing Patterns with Filter 

You can view patterns assigned to a particular user or stage using Annotations (described in 

"Annotating Patterns" on page 737). 
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1. In the Navigator panel in Pattern Discovery, click the Patterns tab. 

2. Navigate to the pattern. 

3. Right click that pattern and select View Patterns with Filter. Use one or both of the following 
parameters for your search: 

To filter for patterns assigned to a user, use the Select a User drop-down menu. 

To filter for patterns assigned to a workflow stage, use the Select a Stage drop-down menu. 


Inspecting Patterns 

The Pattern Inspector provides you one more level of investigative control. If you decide that a pattern 
requires more investigation, you can use the Pattern Inspectorto edit its details to be more descriptive 
for other users. 

For example, you can rename the pattern from the default date and time of the snapshot to something 
more specific, such as “Potential worm attack.” Then you can add a description of the pattern so that 
another user can verify your findings. 

To launch the Pattern Inspector: 

1. In the Navigator panel, goto Pattern Discovery and click the Patterns tab. 

2. Right-click a pattern in the resource tree and choose Inspect Pattern. 


Details of the pattern are displayed in the Inspect/Edit panel. Use the following sections as described 
below to tailor the pattern for further investigation: 


Section Description 

Summary 

Use this section to modify the name of the pattern from the default date-and-time 
name to a more descriptive name. You can also add a description of the pattern to aid 
other analysts. The Profile field is not editable. 

Items 

Use the Investigate drop-down button or right-click an item name to display the 
associated event details in a channel in the Viewer panel. 

Snapshot 

Use this drop-down menu to open patterns generated from the same profile definition 
so you can compare them. 

Transactions 

This table shows the source and destination data defined in the profile (address, port, 
host name, and so on) for the events involved in the pattern. 
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Section Description 

Time Spread 

This table is only present if you selected Record Time Order in the profile. This table 
shows the details about the time spans involved between pattern occurrences. 

• Average - the average time between events in this pattern 

• Deviation - the difference in time spread between multiple occurrences of this 
pattern 

• Min - the minimum time between events in this pattern 

• Max - the maximum time between events in this pattern 


The Pattern Inspector (below) shows item details and source/target transactions. You can rename a 
pattern to something more specific than the default date and time, and you can include a description. 
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Creating Rules from Patterns 

You can create rules based on discovered patterns. Going back to our example, if Pattern Discovery 
finds a pattern between an MS-SQL worm propagation attempt reported by Snort, an MS SQL version 
overflow attempt, and an attack from a suspicious source, this indicates dangerous worm activity, and 
can create a rule to notify users or quarantine a server whenever the system detects traffic that 
matches this pattern. For additional information on creating and managing rules, see "Managing Rule 
Actions" on page 515. 

You can create rules from patterns in the Snapshot view in the Viewer panel, or in the Pattern Inspector 
in the Inspect/Edit panel. 

• To access the Rules Editor from the Snapshot view: 

Right click on any item in the hierarchy graphic and select Create Rule. . . 

• To access the Rules Editor from the Snapshot Patterns view: 

Right click on any item in the pattern block and select Create Rule.... You can also click the create 

rule button (®) in the button menu. 

• To access the Rules Editorfrom the Pattern Inspector: 

In the button menu, click the create rule button. 

The Rules Editor opens in the Inspect/Edit panel showing the Attributes tab. Once the Rules Editor is 
open, do the following: 

1 . Follow instructions in "Creating or Editing Rules" on page 495. You can also assign an external ID, 
alias, description, Version ID, owner, notification groups for the filter, and mark a resource as 
deprecated. Click Apply. 

2. In the Rules Editor on the Conditions tab, the pattern's elements already appear in the common 
conditions editor. Modify the logic to express additional conditions for the rule to evaluate. For 
information, see "Specifying Rule Conditions" on page 498. 
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Note: The OR conditions are intentional. OR is a more memory-efficient way to process rules 
than AND because it also applies a threshold value (the number of items involved) and 
distinct item names to track the components of the rule, rather than a blanket (join) approach. 


3. At the Aggregation tab, set the number of matches and time frame for the rule. 

4. At the Actions tab, set the actions for the rule to trigger when the thresholds are met. 

a. Click Hide Empty Triggers in the top row. This reduces the list of available thresholds to 
those that are active (applicable to the conditions set in the rule). 

b. Select a threshold from the list and click Add. Choose an action from the list that appears. See 

"Rule Actions Reference" on page 520. 

5. At the Variables tab, enter variables. Variables break down compound data fields into smaller 
parts so they can be sorted and acted upon. For example, you can break the 7-part timestamp field 
ora multi-value URI into component parts, which can be re-assembled in a more human-readable 
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order, or sorted by component. For more about dependent variables, see the online Help and 
search for Variables. 

6. You can keep track of changes made to a profile using the Notes feature: 

a. In the Inspect/Edit panel, click the Notes tab. 

b. In the Notes field, enter a note and click Save. The entry is logged in the Table/List tabs. 

c. You can view notes as a table or as a list by toggling between the Table and List tabs. You can 
re-order the table view by clicking the column header. 


Annotating Patterns 

Annotation is a light-weight method to escalate a pattern to other users through your workflow system 
for analysis or investigation. You can use annotations instead of cases to escalate only one pattern. 
Use cases to escalate multiple patterns or if you use a third-party incident management system. 

You can annotate patterns from the snapshot and Pattern views in the Viewer panel, or within the 
Pattern Inspector in the Inspect/Edit panel. 

To access the Annotation Editor from the Snapshot Patterns view: 

1. In the Navigator panel, goto Pattern Discovery and click the Snapshots tab. 

2. Double-click the snapshot to display it in the Viewer panel. 

3. Expand the pane so you can see the Patterns view at the bottom. 

4. Right click any item in the pattern block and select Annotate Pattern. You can also click the 
Annotate Pattern button <Q in the button menu. 

To access the Annotation Editor from the Pattern Inspector: 

1. In the Navigator panel, goto Pattern Discovery and click the Patterns tab. 

2. Navigate to the pattern and double-click it. 

3. In the Inspect/Edit pane on the Pattern Inspector tab button menu, click the Annotate Pattern 
button. 

4. In the Resource Annotation editor, enter the following values and click OK. 


Field 

Value 

Stage 

Select a stage from the drop-down menu. The default is Queued. 


HP ESM (6.9.1c) 


Page 737 of 1106 


ArcSight Console User's Guide 
Chapter 27: Pattern Discovery 


Field 

Value 

Assign to 

Select a user from the drop-down menu. 

Comments 

Enter any comments to communicate to other ArcSight users. 


Deleting a Pattern 

1. In the Navigator panel, goto Pattern Discovery and click the Patterns tab. 

2. Select one or more patterns. 

3. Right-click the selected patterns in the resource tree and choose Delete Pattern. 

4. Click Yes to confirm the deletion. 


Usage Guidelines 


Establishing a Baseline of Normal Patterns 

Use broader profiles and more frequent snapshots to capture an example of all the patterns that occur 
as part of normal business practices, identifying normal patterns takes time and investigation, and 
requires that you be familiar with traffic in your enterprise. 

Once you have identified normal patterns, use annotation for moving them out of the analysis workflow 
You can also use filters, but it is more reliable to move patterns by annotating them to a stage, such as 
Closed, because it assures that the pattern has been inspected and classified. For instructions about 
how to use event annotation to manage Pattern Discovery workflow, see 'Annotating Patterns" on the 
previous page. 


Using Pattern Discovery in Routine Operations 

Once normal patterns are identified and annotated so they are removed from the routine traffic flow, you 
can focus on the new patterns that are not yet classified. Routine operations consist of the following 
tasks: 

• Workflow. As Pattern Discovery turns up new or unclassified patterns, a designated user needs to 
review them and start them through the workflow using the ESM annotations feature. You can also 
schedule Pattern Discovery to run at intervals. 

• Investigation and analysis. Once assigned to an analyst, the analyst can use the full array of 
ArcSight’s investigation and analysis tools, including snapshot and pattern graphics, event graphs, 
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filters, and rules, to determine the level of threat represented by the pattern. 

During this investigation, it may be useful to drill down to the native device information to help 
identify the significance of a pattern. For example, if an event in a pattern was generated by Snort, 
you can retrieve the Snort rule number and look for its detailed explanation to obtain important event 
details. 

• Take action. When a threat level is determined, the analyst can take a number of actions, such as 
use the ArcSight rule builder to take a prescribed action on this pattern and others that match it that 
may occur in the future; assign it to another user for follow-up; or close the pattern if it is deemed 
benign. 


Performance Considerations 

Pattern Discovery jobs can be resource intensive. Under high EPS (for example, greater than 15K), 
Pattern Discovery jobs can cause a degradation in performance, and may fail to return a matching 
result set. ArcSight recommends that you reduce the scope or frequency of Pattern Discovery jobs 
when running a system with high EPS. 


Adjusting Pattern Discovery Memory 

By default, Pattern Discovery limits its memory usage to about 4 GB of memory. However, if the 
search for patterns involves too many transactions and events, the task can run out of memory and 
abort. If the Pattern Discovery task aborts, a message to that effect appears in the ArcSight Console. 
Run the Pattern Discovery task again after increasing the Pattern Discovery memory usage limit. You 
can control the memory usage limit indirectly by changing the maximum number of transactions and 
events that can be held in memory. 

For information, see “Adjusting Pattern Discovery Memory” in the Configuration chapter of the 
Administrator’s Guide. 


HP ESM (6.9.1c) 


Page 739 of 1106 



Chapter 28: Actors 

The actors feature creates a real-time user model that maps humans or agents to activity in 
applications and on the network, making it possible to identify the actors behind events. 

After the actor model is in place, you can construct category models to visualize relationships among 
actors and use those relationships for correlation. 

This topic describes how to use the actors resources to model users and associate them with events. It 
also describes how to construct category models to depict relationships among actors. 


About Actors 

A critical factor in having situational awareness is knowing who is doing what with resources on your 
network, when they’re doing it, and how. This awareness is critical for maintaining network security and 
demonstrating compliance with the increasing requirements of regulatory standards. 

Identity management systems (IDMs) enable IT security professionals to protect their assets while 
granting different levels of access to a range of users, such as full-time employees, part-time 
employees, employees with certain security clearances, partners, contractors and customers. 

However, following exactly what a specific person is doing across all the resources on your network 
can be difficult, because each user will have different account IDs and roles on different systems and 
applications. Examples of different information used to identify a given user include badge IDs 
(physical access devices), MAC addresses (for devices assigned to a specific person), email 
addresses, usernames, Distinguished Names (particularly for Active Directory-related events), and so 
on. 

The Actors feature maps humans and their activity to events from applications and network assets by 
leveraging user attributes defined within identity management systems and correlating them with user 
account information from the user authentication systems on your network. Correlating user identifiers 
from the event traffic that reflects their activity throughout the day makes it possible to ensure that 
users are doing role-appropriate activity across the assets in your organization, and to detect and track 
inappropriate access and suspicious activity. 

The Actors feature works in conjunction with ArcSight’s Actor Model Import connectors, which 
regularly poll your Identity Management System (such as the SmartConnector for Active Directory 
Actor Model Import). This system automatically maintains an up-to-date actor model you can use to 
correlate users and their roles with their activity on the network. 

Note: ArcSight supports actor models with up to 500,000 actors 

ArcSight supports actor models with up to 500,000 members. Supporting a large actor model can 
require special configuration. For details, see “Tuning Guide for Supporting Large Actor Models” in 
the “Configuration” chapter of the Administrator’s Guide. 
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Also, seethe searchindex command in the “ArcSight Commands” chapter of the ESM Administrator’s 
Guide. The searchindex command is a utility that creates or updates the search index for resources in 
the database. 

If the actor model is in place, use the modeling and visualization tools (category models) to show direct 
and indirect relationships among actors in the actor model. You can use this model to group and 
visualize users in your organization in numerous ways, such as reporting structures, organizational 
units, or role-based functions, then use these relationships as parameters in user-defined monitoring, 
analysis, and correlation. 

Fortesting purposes, you can also manually add actors. You can also import or redefine views of user 
groups and relationships with category models. 

Actor channels and navigating thousands of actors 

Actor channels present all the actors in your actor model in a single, scrollable view. Like active 
channels, apply local filters to actor channels to find actors with certain attributes. 

Actor channels are the only way to see actor models that contain 1 ,000 or more members because 
display space in the Navigator panel is limited. You can also use actor channels for viewing actor 
models with fewer than 1,000 members. 

For more about actor channels, see "Viewing Actors in an Actor Channel" on page 753. 

Viewing relationships among actors using category models 

After you have configured actor information, you can make logical groupings to represent relationships 
among actors and actor attributes using category models. 

Category models can reflect direct actor relationships, such as reporting hierarchies, or relationships 
between actors who share common attributes, such as actors in a particular location. Category models 
can also reflect relationships between actors using custom attributes defined by the user. 

To visualize relationships using category models, leverage the data gathered in the models using the 
HasRelationship function in local and global variables. 

Refer to these related topics: 

• "Creating and Using Category Models" on page 768. 

• "Viewing Category Models in Graphs" on page 778. 

• "Leveraging Category Model Data Using Variables" on page 781 . 

Using actor global variables to identify actors from events 

The actor data stored in the Actor Resource Framework coupled with actor global variables make it 
possible to identify an actor from any given event, then correlate that activity with other activity or 
attributes of that actor. The ability to identify an actor from a given event and correlate that activity with 
other events involving that actor and attributes of that actor, such as location and role, make it possible 
to verify that an actor’s activity across the network is appropriate. 
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Standard content provides a series of actor global variables that are part of the Actor Resource 
Framework, which identifies and stores actor-related data from events in the look-up tables of the Actor 
Resource Framework. You can also use these global variables in your own correlation content. For 
more about using the Actor Resource Framework global variables, see the ArcSight Standard Content 
Guide that comes with this ESM release. 

You can construct your own actor global variables. For an outline of this process, see Leveraging 
Actor Data Using Variables" on page 766. 

Using Standard Content to Track Actor Configuration Changes 

Standard content also provides a set of coordinated resources that track actor configuration changes, 
such as when actors are created, updated, and deleted. 

For more about this standard content, see the ArcSight Administration and ArcSight System Standard 
Content Guide that comes with this ESM release. 


How the Actors Feature Works 

ArcSight SmartConnectors normalize event data from hundreds of different devices on a network into a 
common data schema. The Actors feature normalizes user identity information stored in different 
formats in different authentication data stores to create a complete profile of data used to identify each 
user on your network in various contexts. 

As shown in the following example, a model import connector imports data from an identity 
management system, such as Microsoft Active Directory. For a complete list of supported identity 
management systems, contact Customer Support. 

In the following example, the actor data comes in from the Microsoft Active Directory system using a 
model import connector. Events arrive from applications that all use different data stores to 
authenticate user activity, which all use different account IDs to identify the user John Zed. The activity 
is identified as belonging to the same actor. That actor is represented as JOHN. 



The actors feature works in conjunction with an Actor Model Import connector to import user data from 
an identity management system and to normalize user data in event traffic. 
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The actors feature is supported internally using the Actor Resource Framework, a series of internal 
look-up tables maintained by regular updates from the Actor Model Import connector. 

As part of setting up the actors feature, you also configure an applications and authenticators active list 
to identify the mapping between the applications in your network environment and the data stores they 
use to authenticate users. In the example shown above, Windows Server Active Directory is the 
authentication data source for Microsoft Exchange and SAP Real-Time Security. 

The following diagram shows a detailed look at how the Actors feature works. When events arrive at 
the Manager, resources that use conditions or select fields invoke one or more of the actor global 
variables provided in standard content. These global variables and the actor data maintained in the 
Actor Resource Framework provide several ways to identify actors using whatever user identity 
attributes are available in events arriving from different applications from across the network. 

The global variables first look up the authenticator using the device-specific data, such as vendor and 
product information in the event, then look up the relevant user information from the Actor Resource 
Framework tables to positively identify the actor. For details about the Actor Global Variables in 
standard content, see the ArcSight Administration and ArcSight System Standard Content Guide that 
comes with this ESM release. 
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Resources leverage system-provided actor global variables to look up actor identity attributes 
maintained in the Account Authenticators table and the Actor Resource Framework. 
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About the Actor Model Import Connectors 

The ArcSight Actor Model Import connectors support bulk import of user accounts from multiple identity 
management systems, such as Microsoft Active Directory. (For a complete list of supported identity 
management systems, see the ArcSight connector documentation.) 

The Actor Model Import connector imports the user data into the actors resource, where it is leveraged 
by the infrastructure that identifies and tracks user activity. Correlated and normalized data about user 
activity is then available for monitoring and investigation, further correlation, and reporting. 

The actor model used to describe users is automatically populated with the attributes configured for it 
by the Actor Model Import connector when connecting to the connector. 

Caution: Actor Model Import connector should be configured with all attributes you are 
interested in tracking before initial connection. 

During Actor Model Import connector configuration, make sure that all the attributes you are 
interested in tracking are configured. After actor information is imported into ESM, and the Actor 
Model Import connector has an updated list, existing actors in ESM are not updated. 

To update existing actors with new or removed attributes sent from the Actor Model Import 
connector after an actor model has already been imported, first delete the actor group, then re- 
import the actor data. 

For details about how to delete an existing actor group, see "Deleting Actors" on page 766. 

The following table lists the attributes that the actor model supports. The Actor Model Import connector 
administrator configures the Actor Model Import connector with the attributes from this list that it will 
send to populate the actor model. Not all IDM systems support all these attributes. An actor resource is 
only populated with the attributes configured by the Actor Model Import connector administrator. 


Single-value attributes 

Multi-value attributes 

UUID 

Manager 

Account 

First Name 

Assistant 


Middle Initial 

Email Address 

• Account ID 

Last Name 

Location 


Full Name 

Office 

• Authenticator 

IDM Identifier 

Business PhoneMobile Phone 


DN 

Fax 

Role 

Employee Type 

Address 

• Role Name 

Status 

City 

Title 

State 

• Resource Name 

Company 

Zip Code 


Organization 

Department 

Country Or Region 

• Role Type 


In addition to the basic single-value attributes, each actor will likely have multi-value attributes, 
specifically multiple account IDs, and multiple roles, which are tracked using your IDM system. These 
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multi-value attributes can appear differently in events coming from different devices. In some cases, 
such as a non-IT-related role, the information is not included in event data at all, but is still valuable 
information to help identify users and correlate their activity to help ensure appropriate behavior and 
access to resources hosted on the network. 


Troubleshooting Errors with Actor Model Imports 

It is possible that during the actor import process from the Actor Model Import connector, one or more 
actor import files containing data for multiple actors may not have imported successfully into the 
Manager. This might happen because of network connection problems, an out-of-memory error, or 
some other problem that caused the import of that file to fail. 

In such cases, there is an archive file in $ARCSIGHT_HOME/archive/webservices for each actor import 
file that failed to import successfully. Each such archive file is created with the file extension .bad. 

If an actor file did not import as expected, or during routine maintenance, check the $ARCSIGHT_ 
HOME/archive/webservices directory for actor files that failed to import. 

The . bad archive file contains all the missing actor information, and you can use the ArcSight Archive 
utility to import that file individually from a command line on the Manager system. For instructions about 
how to run the Archive utility to import an archive file, see the topic “The Archive Command Tool” in the 
Administrator’s Guide. 


Tip: Tips for using the Archive utility: 

• To see a list of commands available with the Archive utility, include -h (for “help”) in the archive 
utility command script. 

. If the archive file name starts with a dash (-), rename the file before running the Archive utility to 
ensure that the command works. 


For details about the Actor Model Import connector and how to configure it, see the Actor Model Import 
connector documentation for your I DM system, for example, the SmartConnector Configuration Guide 
for Microsoft Active Directory Actor Model. 


Configuring Actors 

Configuring actors requires a one-time setup procedure and minimal future maintenance if 
authentication systems are added, modified, or removed from your network. This setup procedure 
maps the user authentication systems you use in your network environment and the account IDs for 
each user on those systems. 

1. Install the Actor Model Import connector appropriate for your IDM. For complete 

instructions about how to install the connector, see the relevant SmartConnector installation and 
configuration guide, such as the SmartConnector Configuration Guide for Microsoft Active 
Directory Actor Model. After installation, the connector polls the IDM and imports the user data 
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into the Actor model. 

2. Identify the authenticators in your environment. In preparation for configuring the 
authenticator mapping table, open the dashboard for automatically identifying the user 
authentication data stores running in your environment and their type: 

/All Dashboards/ArcSight Administration/ESM/Configuration Changes/Actors/Actor 
Administration 

This dashboard is populated by the following query viewer, which looks for events with a value in 
the Authenticator field: /All Query Viewers/ArcSight Administration/ESM/Configuration 
Changes/Actor/Actor Authenticators 

The example below shows the value of the Attributes field for an active directory system 
configured as Active Directory :<domain>. com. Use this exact value, including punctuation, 
spaces, and capitalization, to populate the account authenticators mapping table described in the 
next step. 



3. Configure the Authenticators mapping table. Using the information gathered in step 2, fill out 
the account authenticators mapping table provided at /All Active Lists/ArcSight 
System/Actor Data Support/Account Authenticators. The data you enter here must exactly 
match the values displayed in the Actor Administration dashboard. 

a. In the Navigator panel, go to Lists > Active Lists. Right-click the active list /All Active 
Lists/ArcSight System/Actor Data Support/Account Authenticators and select 

Show Entries. 

b. In the Account Authenticator Details tab in the Viewer screen, click the add icon ( c 3 a ). 

c. For each account authenticator data store, enter the following data: 
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Column Description 

Device 

Vendor 

The vendor that supplies the authentication data store, such as Microsoft. 

Device 

Product 

Provide the application name of the authentication system, such as Active 
Directory. 

Agent 

Address 

The IP address of the reporting SmartConnector. 

Agent Zone 
Resource 

The zone in which the reporting SmartConnector resides. 

Authenticator 

Enter the exact value(s) returned for Authenticator in the Actor 

Administration dashboard from the previous step, including punctuation, 
capitalization, and spaces. 

Using the example shown in the previous step, the value you would enter in 
this column would be: 

Active Directory: arcsight.com 


When you are finished, the Account Authenticators table should look something like this: 



Permissions Required to Use Actor-Related 
Data 

By default, users in the Administrators group have full read/write access to the Actors feature and the 
other resources that actors depend on. The administrator can grant permissions for actors and the other 
resources upon which the actors feature depends to other users. 

Permissions to create actors, actor channels, and category models: 

• Read and write on /All Actors 

• Read and write on /All Session Lists/ArcSight System/Actor Data and /All Session 
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Lists/ArcSight System/Actor Data Support 

• Read on /All Field Sets/ArcSight System/Actor Field Sets/Actor Base 

• Read on the filters used to define the event ACLS for that user group, for example, All 
Filters/ArcSight System/Core 

• Read and write on the group in which the new resource is being created 

Permissions to view actors and category models, and monitor actor channels: 

• Read on /All actors 

• Read on /All Session Lists/ArcSight System/ Actor Data and /All Session 
Lists/ArcSight System/Actor Data Support 

• Read on /All Field Sets/ArcSight System/Actor Field Sets/Actor Base 

Permissions to use actor global variables provided in standard content rules, active 
channels, and reports that leverage actor data: 

Read access on the following resources and groups: 

• /All Fields/ArcSight System/Actor Variables (either directly, or inherited from /All 
Fields/ArcSight System) 

• /All Actors 

• /All Session Lists/ArcSight System 

• /All Active Lists/ArcSight System/Actor Data Support (for the authenticator active list) 

• The appropriate group that gives all the queries used by a query viewer that leverages actor data 

• The appropriate group that contains a query viewer that leverages actor data 

• The appropriate group(s) for the filters used by any queries and query viewers that leverage actor 
data 

In addition to these permissions on the actor-related resources themselves, read permissions are 
needed for any resources (such as filters, user-created actor global variables, and soon) upon which 
these actor-related resources rely. 

Note: Best practice: Log out and log back in again for permission changes to take effect. 

As a best practice whenever an administrator changes another user’s permissions, the other user 
should log out and log back in again. This ensures that the new permissions are registered with the 
Manager, and the user can see the changes. 

For details about how to assign permissions to user groups, see 'Managing Permissions" on page 189. 
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Viewing Actors on the Console 

To navigate to Actors: 

In the Navigator panel, select Actors. Here you will find the actors resource and the category models 
you can use to organize and visualize them. 

In a typical workflow, actors are created automatically by installing the ArcSight Actor Model Import 
connector and configuring it to your IDM system. New actors added to the IDM are automatically 
created and existing ones updated with changes made on the IDM with every connection made 
between the Manager and the Actor Model I mport connector as described in "About the Actor Model 
Import Connectors" on page 744. 

Fortesting purposes, you can also create an actor individually using Console resources, or edit an 
existing one. For more about creating actors individually fortesting purposes, see Creating and Editing 
Actors for Testing Purposes" on page 762. 

Note: Console-created actors or those edited individually using Console resources do not 
update the user information stored in the IDM. 

Communication from your IDM to the Manager is one way. Any actors that you add or existing 
ones that you update using Console tools are not added to the IDM system. Any changes you 
want to persist to the IDM should be made at the IDM, and the new actor information will be 
automatically imported into the actor model at the next Actor Model Import connector connection. 


To view actor models: 

You can view actor models with fewer than 1,000 members from the Navigator panel. Upon 
connection, the Actor Model Import connector creates the destination group in which the actors are 
placed based on the value set at the Actor Model Import connector. The example below shows three 
actors in a group called World-Wide Operations. 
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Viewing an Actor in the Actor Editor 

To view the details of a particular actor in the Actor editor, double-click the actor, or right-click the actor 
and select Edit. Use the scroll bar to see all the actor attributes. 



Viewing Actor Base Attributes 

The attributes in the Actor section of the Actor editor is also referred to as the Actor Base attributes. 
These are the basic standard attributes that describe an actor. These base attributes are part of the 
Actor Base field set. (For more about actor field sets and usage, see "Creating and Using Field Sets" 
on page 546.) 
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Actor Base Attributes 


Attribute 

Description 

UUID 

The Universally Unique Identifier for the actor 

Full Name 

The actor’s full name 

First Name 

The actor’s first name 

Last Name 

The actor’s last name 

Middle 

Initial 

The actor’s middle initial 

IDM 

Identifier 

The friendly name for the IDM. The IDM is selected by the Actor Model Import 
connector administrator during Actor Model Import connector setup. 

DN 

The distinguished name for the actor, for example, CISHlohnDoe, 
OU=Sales J DC=companyname J DC=cotn 

Employee 

Type 

The type of employee this actor is in your company, for example, full-time, exempt, 
or contractor. 

Status 

The employment status of the actor’s account, for example, Active, Deleted in 

IDM, or Disabled. 

Notes: 

* When an actor is deleted from the IDM, the actor will remain in the actor model with 
the status Deleted in IDM. 

• The actor license tracking feature includes actors that are still in the actor model 
with the status Disabled or Deleted in IDM. The identity management feature 
preserves disabled and deleted actors in the actor model to track any unauthorized 
activity related to disabled or deleted actors. If you do not want the license tracking 
feature to evaluate actors with the status Disabled or Deleted in IDM, you can 
manually remove them from the ESM actor model. Manually removing disabled or 
deleted actors also removes the ability to track unauthorized activity related to 
these accounts. 

For more about the license tracking feature, see "License Tracking" on page 58. 

Title 

The actor’s job title 

Company 

The company by whom the actor is employed. 

Org 

The organization within your company of which the actor is a member 

Department 

The department within your company of which the actor is a member 

Manager 

The distinguished name of the actor's manager 

Assistant 

The name of the actor’s assistant as it appears in the IDM 
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Actor Base Attributes, continued 


Attribute Description 

Email 

Address 

The actor’s company email address 

Location 

The actor’s location name 

Office 

The actor’s office name 

Business 

Phone 

The actor’s business phone 

Mobile 

Phone 

The actor’s mobile phone 

Fax 

The actor’s fax number 

Address 

The actor’s business address 

City 

The city of the actor’s business address 

State 

The state of the actor’s business address 

Zip Code 

The zip code of the actor’s business address 

Country Or 
Region 

The country of the actor’s business address 


Viewing Actor Account Attributes 

The Account_Attributes table displays the unique account IDs attributed to this user by the various 
user authentication data stores relevant to this user. Like the base actor attributes, the values in this 
table are populated by values from the Actor Model Import connector for your IDM system. 


Field 

Description 

Authenticator 

The friendly name for the user authentication data store containing the actor’s 
account ID 

Account ID 

The account ID for the actor 


Viewing Actor Role Attributes 

The Role_Attributes table displays role name, resource type, and role type for each role represented by 
the actor. The values in this table are also populated by values from the Actor Model Import connector 
for your IDM system. 
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Field Description 

Role 

Name 

The name of the role or group, such as Administrators or Software Developer 

Resource 

Name 

The name of the resource in which the role is assigned, such as the active directory 
domain, identity management system, or application 

Role 

Type 

The role's category, such as Global Security Group, Business Role, or IT Role 


Note: Because an actor can have multiple roles, a query viewer will display each role in separate 
entries. For example, if an actor has 4 accounts and 10 roles, running a query on this actor’s 
accounts and roles will result in the Cartesian product of the accounts and roles: a total of 40 
entries. 

For information about queries, see "Building Queries" on page 301. For information about query 
viewers, see Query Viewers" on page 323. 


Viewing Actors in an Actor Channel 

The actor channel is an active channel with a simplified header that displays the actor resources in your 
actor model. 


Count of actor resources 


Actor channel 
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Actor channel 
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Note: The radar on an actor channel has no relevance, unlike on an event channel. 
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For actor models that contain thousands of members, actor channels present all the actors in your actor 
model in a single, scrollable view. You can apply local filters to actor channels to find actors with 
certain attributes. 


If a group in your actor model contains more than 1,000 members, the actor tree in Navigator panel 
displays the message as shown: 


Navigator -J □ 0 “i 


Resources | Packages j Use Cases | 


J Actors 

Ctrl+Alt+B v 


Actors 


Category Models 


B 25 Actors 
B'B Shared 
t 12? All Actors 


actor.com 


j B'C World-Wide Operations 

This group has more items than can be displayed. Double click to open a channel, 
B Public 
S C Unassigned 


You can also view actor models with fewer than 1,000 members in an actors channel. 

To view an actor model in an actors channel: 

1. In the Actors navigation panel, right-click an actors group and select Show Actors. If your actor 
model contains more than 1,000 members, you can also double-click the message “This group 
has more items than can be displayed. Double click to open a channel.” 

Note: When you select Show Actors on a group, the actor channel will only display the 
members of that immediate group. If the group has a sub-group, the actors in that sub-group 
will not be displayed in the actor channel. 

To view the actors in a sub-group, right-click that group and select Show Actors. 

2. In the Viewer panel, navigate to the actor channel. 

The following sections describe the attributes of an actor channel, and how to interact with them. 


Sorting Fields in Actor Channels 

The fields shown on actor channels are from the Actor Information Field Set (/All Field 
Sets/ArcSight System/Actor Field Sets/Actor Information). 

Sort fields in actor channels the same way you sort fields for event-based channels. 
Note: You cannot sort multi-value columns, such as Account ID. 
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The names of sortable fields in column headers are indicated with a double-arrow icon ^ . If a field is 
already sorted, an up t or down i_ arrow indicates the direction of the sort. 

• To sort the list by a column, right-click overthe column and select Sort Column. 

• To reverse the sort order, select Sort Column again on an already-sorted column. 

• To remove a sort, right-click over a sorted column and select Remove Sort. 

For more about sorting columns in channels, see "Sorting Events in an Active Channel" on page 212. 


Actor Channel Options 

There are several options available to take on actors from the tree view in the Navigator panel and from 
the grid view in the Viewer panel. 


Actor Channel Right-Click Options from the Grid View 


Option 

Description 

Export 

Save the actor data in this actor channel as a CSV list. 

Edit Actor 

Open the selected actor to view its details in the event inspector. 

Delete Actor 

Delete the selected actor from the actor model. 

Caution: Make sure the actor is also deleted from the source IDM. Subsequent 
updates from the IDM that still contains this actor data can result in an unstable actor 
data set for this actor. 

Add Actors 
to Category 
Model 

Add the selected actors to an existing category model. 

Add to 
Package 

Add the selected actors to a new or existing package. 

Report 

Run a custom actor context report, or one using default values. For more information 
about actor context reports, see "Running Context Reports from an Actor Channel" 
on page 759. 

Find Actor in 
Navigator 

Expand the containing group and highlights the selected actor in the Navigator panel. 

Graph View 

Display the actor in a resource graph in the Viewer panel. 

Lock Actor 

Locking is a common feature for all resources. 
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Filtering Actor Channels 

There are two ways to filter the contents of an actor channel: adding a local filter to the resource itself, 
or applying an inline filter to one or more columns. 


Adding a Local Filter to the Actor Channel Resource 

You can add a local filter to the actor channel using the Active Channel : Actor Channel editor. This 
enables you to use the CCE to apply a filter locally to the selected actor channel. You cannot save a 
local filter added to an actor channel. 


Note: If your filter uses a conditional variable function to display an actor list on a channel, the 
channel does not display any actor values. This is because conditional variable functions work for 
in-memory resources only. You can therefore use conditional variables for rules and data monitors, 
but not for queries and active channels. 

For information about conditional variable functions, see Condition Functions" on page 1076. 


To add a local filter to the resource: 

1 . Click the Filter link in the channel header: 
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This opens the Active Channel: Actor Channel editor in the Inspect/Edit panel. 

2. In the Attributes tab, set the name and select the Actor field set you want to use. See the following 
guidelines: 
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a. Name. Replace the default name Actor Channel with a name that describes the channel, and 
perhaps the filter you want to apply to it, such as Managers in World-Wide Operations. 

b. Default Field Set. By default, no field set is used. You can select a field set if you want to 
select a specific actor field in a particular field set. If you specify afield set, only the actor field 
sets are displayed, such as the Actor Base field set (Field Sets/Shared/All Field 
Sets/ArcSight System/Actor Field Sets/Actor Base). You can select this field set, or 
another actor field set created in your environment. 

c. Common Attributes. Set any other common attributes you want for the actor channel. Fora 
description of the data that goes in the Common section, see " Common Resource Attribute 
Fields" on page 685. 

3. In the Filter tab, construct the filter you want to apply. You can select any existing Actor field set, 
or apply a global variable. 

For instructions about constructing a condition using the Common Conditions Editor (CCE), see 

"Common Conditions Editor (CCE)" on page 864. 

4. In the Sort Fields tab, select the columns by which you want the actor channel to sort. Fields that 
contain lists and multi-values cannot be sorted. 

5. On the Local Variables tab, define any local variables you want to use to extract a particular value 
from a particular field. For instructions about how to use the Local Variables editor, see "Variables" 
on page 1069. 

6. Click Apply to apply changes to the actor channel displayed in the Viewer panel. Click OK to 
save the filtered actor channel. 


Tip: Where to find saved actor channels 

After you have modified and saved an actor channel, you can find it in the Active Channel 
area of the Navigator panel. Actor channels are saved with the suffix [Actor] after the active 
channel name, for example, Managers in World-Wide Operations [Actor], 


Creating an Inline Filter 

Like event-based active channels, you can create an inline filter to operate on one or more columns to 
find actors with particular attributes in common. 

For instructions about how to construct inline filters, see "Filtering Active Channels with Inline Filters " 
on page 234. 

In an actor channel, if you apply an inline filter to a specific column, the inline filter automatically 
becomes part of the actor channel’s filter condition, as if you manually edited the actor channel and 
entered settings on the Filter tab. You have the option to save the actor channel with the new filter, or 
close the channel without saving the filter. 

To save the filtered version of the channel, see "Managing Actor Channels" on the next page 


HP ESM (6.9.1c) 


Page 757 of 1106 



ArcSight Console User's Guide 
Chapter 28: Actors 


Managing Actor Channels 

This topic shows how to save, edit, and view your saved actor channels. 

To save an actor channel from the Viewer panel: 

1 . Right-click the active channel header and select Save Active Channel As. 

2. In the Active Channels Selector, navigate to where in the Active Channels branch you want to 
save the actor channel and click OK. 

You can also save an actor channel by opening the actor channel editor in the Inspect/Edit panel as 
described in "Filtering Actor Channels" on page 756. 

To edit a saved actor channel: 

You can find saved actor channels in the Active Channel area of the Navigator panel. Actor channels 
are saved with the suffix [Actor] behind the active channel name. 

1. In the Navigator panel, goto Active Channels. 

2. Right-click the actor channel you want to edit and select Edit Active Channel. 

3. Make modifications to the actor channel in the Active Channel: Actor Channel editor in the 
Inspect/Edit panel and click OK. For details about what to enter in the active channel editor, see 

"Filtering Actor Channels" on page 756. 


Tip: Where to find saved actor channels 

After you have modified and saved an actor channel, you can find it in the Active Channel area of 
the Navigator panel. Actor channels are saved with the suffix [Actor] behind the active channel 
name, for example, Managers in World-Wide Operations [Actor], 


To view a saved actor channel: 

1. In the Navigator panel, goto Active Channels. 

2. Double-click the actor channel you want to view, or right-click it and select View Active Channel. 


Investigating Actors 

You can investigate events to identify the actor behind the activity represented in an event by running a 
context report from an event or actor channel. The actor context report looks at which actor is bound to 
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the event you are investigating, and then run a report that will show activity for that actor. 

Running Context Reports from an Actor Channel 

From an actor channel, you can choose to run the report based on the following actor global variables: 

• ActorByAccountID 

• ActorByAttackerUsername 

• ActorByCustomFields 

• ActorByTargetUsername 

The report will be populated if the actor global variable finds the values for the supported attributes, for 
example, account ID, custom field, attacker user name, and soforth. When the report is launched, it 
will use the actor global variable specified in the field set. If there is more than one actor global variable 
in the field set, the report will default to ActorByAccountID. 

Note: Actor context reports will not show data if you are looking up actors using the ActorByUUID 
or ActorByDN global variable. These global variables are used only for internal actor lookups. 

For context reports out of the actor channel, you have the following choices for running actor context 
reports: 

• With default parameters: 

■ Default time range: last hour 

■ Default filter: correlation events only 

• With custom parameters (you set these explicitly) 

■ Start time 

■ End time 

■ Filter by 

The following procedure shows the available options for running actor context reports from an actor 
channel. 

To run an actor context report from an actor channel: 

1 . Display an actor channel and right-click an actor. 

2. Select Report and then select one of the displayed report types. 
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If you choose a report type that ends in with defaults , for example, Actor Context Report by 
Attacker Username with defaults, the report is displayed with the following parameters: 

■ Default time range: last hour 

■ Default filter: correlation events only 

If you choose a report type that does not end in with defaults , for example, Actor Context 
Report by Attacker Username, the following screen appears: 


Set Parameters 
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3. Set your custom parameters. For example, set StartTime, EndTime, and FilterBy. Keep the 
ActorResourcelD parameter value; this is the value used to identify the actor of interest. 

4. Click OK. 
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Investigating an Actor from an Event Channel 

You can investigate an actor from an event channel in one of the following ways: 

• By using the Show Actor option on an event that is related to an actor 

This option is enabled if the channel contains ActorResourcelD values, for example, 
ActorByAccountID.ID. Actor data is displayed on the Inspect/Edit panel. 

• By running an actor context report on any active channel that has ActorResourcelD values, for 
example, ActorByAccountID.ID. 

Running an actor context report ("Running Context Reports from an Actor Channel" on page 759) 
provides additional options: 

■ Report with default parameters 

■ Report with custom parameters which you set explicitly 

To show an actor related to an event: 

1 . Display an event channel. 

2. Right-click an event and select Show Actor. If the channel does not use a field set containing an 
actor global variable, then the Show Actor option is disabled. 



The edit panel displays details about the actor. See Viewing an Actor in the Actor Editor" on 
page 750 for an example of an actor edit panel. 

To run an actor context report from an event channel: 

1 . Display an event channel. 

2. Right-click an event and select Report. 
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3. Select the actor context report with default report parameters or the report that provides options to 
set report parameters for this report run. 

The report is displayed on the Console’s Viewer panel. 


Actor Context Reports in Standard Content 

Actor context reports and supporting resources are available as part of the standard content. For 
locations and descriptions of the reports and related resources, refer to the ArcSight Administration and 
ArcSight System Standard Content Guide. 

If needed, you can modify the resources upon which these context reports are based. Refer to the 
following topics in this guide: 

• For details about modifying reports, see Defining Report Settings" on page 381. 

• For details about working with queries, see "Defining Query Settings" on page 303. 

• For details about working with report templates, see "Using Report Templates" on page 375. 


Creating and Editing Actors for Testing 
Purposes 

Fortesting purposes, you can create an actor using Console resources, or edit an existing actor 
resource. If you are manually creating actors, manually enter data in the fields you are interested in 
tracking. 

In a production environment, the ActorModel Import connector automatically populates the actor 
attributes the connector has been configured to send, based on values set at the source IDM. The IDM 
may not use or store data for every field. To learn more about the values the ActorModel Import 
connector can be configured to send, see the Actor Model Import connector documentation for your 
IDM system, for example, the SmartConnector Configuration Guide for Microsoft Active Directory 
Actor Mode\. 
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Important Points to Consider About Making Manual 
Changes to Actors 

If you are creating, editing, or deleting actors that the IDM system sent through the Actor Model Import 
Connector, consider the following factors: 

• Actors you create using the Console are not sent back to the IDM. The flow of data is one way from 
the IDM through the connector into ESM. 

• Any changes you want to persist to the IDM should be made in the IDM itself. Any new actor 
information will be automatically imported at the next scheduled Actor Model Import connector 
connection. 

• If you made manual changes in the Console to actors imported from the IDM, these changes will be 
overwritten the next time the Actor Model Import connector sends updated data for the same actors. 

• If you manually deleted an actor attribute, that attribute will not be updated by a subsequent update 
from the Actor Model Import connector, unless the connector report includes an updated value for 
the attribute that you deleted. 

• You should be careful about using the Console to delete actors sent by the IDM, especially if the 
actors still exist in the IDM, because it is possible that the actor will not be updated during a 
subsequent import. 


Creating Actors for Testing Purposes 

Before proceeding, review the information in "Important Points to Consider About Making Manual 
Changes to Actors" above. 

To enter basic Actor attributes: 

1. In the Navigator panel, goto Actors. Right-click the All Actors group (or any group under All 
Actors) and select New Actor to launch the Actors editor. 

You can also launch the Actors editor by going to File > New > Actor, or by clicking the New 
Resource icon ( I H ) and selecting Actor. If you used the File > New > Actor menu option, the 
actor is added in the Unassigned folder. Later, you can move the unassigned actor to an existing 
group. 

2. In the Actor Editor in the Inspect/Edit panel's Attributes tab, enter values forthe required fields, 
UUID and Full Name. Enter any other relevant attributes. All attributes are treated as datatype 
string. Use the scroll bar to see all the Actor attributes. 
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To enter values in the Account Attributes table: 

In the Account Attributes table, add all the unique account IDs attributed to this user by the various 
authentication data relevant to this user. 

Note: About values in the Account Attributes table 

• In a production environment where the IDM sends data through an Actor Model Import 
connector, this table is automatically populated with the user account ID and authenticator 
values that the Actor Model Import connector is configured to send to ESM. 

• For tips about tools to use to find user account IDs and authenticator information, see 

"Configuring Actors " on page 745. 

. In a test situation, or any situation where an actor has been added manually using Console 
tools, you manually populate the account attributes you are interested in tracking. 


1 . Click the Add icon (EE) to make the fields editable. 

2. In the Authenticat or column, enter an identifier for the user authentication data store, for example, 
Active Directory: mycompany.com. This is a friendly name that will help admins and other 
users identify which data store is the authentication source. 

3. In the Account ID column, enterthe user’s account ID used in that authentication data store, for 
example, john_doe, jdoe, or john.d. 

With each entry, the next set of fields becomes editable. Add as many data store authenticators 
and account IDs as are relevant. For example, an entry for an Active Directory authenticator could 
be Active Directory: companyname.com. Following is an example of a completed Account_ 
Attributes table: 


(Description) * ' v ' / " ✓ ' 


□ Account Attributes c£}a X 


Authenticator 

Account ID 


Oracle 

meerkat 


MS Windows 

jmeerkat 


MS Exchange Server 

jmeerkat@ jaygroup . com 

V i 

.,. 4 ^-.**' 


4. To remove an entry, click anywhere on the row you want to delete and click the Delete icon ( * 

)■ 

To enter values in the Role Attributes table: 

Note: About values in the RoleAttributes table 
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■ In a production environment where the IDM sends data through an Actor Model Import 
connector, this table is automatically populated with the user role values the Actor Model 
Import connector is configured to send. 

■ In a test situation, or any situation where an actor has been added manually using Console 
tools, you manually populate the role attributes you are interested in tracking. 


1 . Click the Add icon (EE) to make the fields editable. 

2. In the Role Name column, enter a role name, such as Administrator, User, Approver, or 
Manager. 

3. In the Resource Name column, enter the applicationto which this role applies, for example, SAP or 
Microsoft Exchange. In the Role Type column, enter what type of role it is, such as whether it’s 
an IT role or a business role. 

With each entry, the next set of fields becomes editable. Add as many user roles as are relevant. 
Following is an example of a completed Role_Attributes table: 



/ Si-.., 



E Role Attributes X 




Role Name 

Resource Name 

Role Type 


DBA 

Oracle database 

IT 


Administrator 

MS Exchange Server 

|ff 



* . *"*■ — ^ 



4. To remove an entry, click anywhere on the row you want to delete and click the Delete icon ( * 

)■ 


Editing Actors for Testing Purposes 

This section contains instructions for editing the actors you have created manually fortesting 
purposes. In a production environment, actor changes should be managed automatically through the 
Actor Model Import connector. 

1. In the Navigator panel, goto Actors. 

2. Double-click an actor (or right-click an actor and select Edit Actor) to open the Actor Editor in the 
Inspect/Edit panel. 


Tip: How to find an actor among thousands of actors 
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If a group in your actor model contains more than 1,000 members, view the actors using an 
actors channel. In the Actors navigation panel, right-click the group and select Show Actors. 

For more about creating and viewing actors in an actors channel, see Viewing Actors in an 
Actor Channel" on page 753. 


3. Refer to the topic "Viewing an Actor in the Actor Editor" on page 750 for details about what to enter 
in the editor’s fields. 


Deleting Actors 

The actors feature is designed to reflect the latest state of your IDM data as sent through regular 
updates from the Actor Model Import connector. Changes made to actor data in your environment 
should be made first at the IDM; updates from the Actor Model Import connector then reflect these 
updates in ESM. 

If you delete a user at the IDM, the actor remains in the actor model, and its status is updated to 
Deleted in IDM. This gives you the opportunity to control the permanent deletion of actor data from 
ESM, or keep the information based on your requirements. 

• To delete an actor from the actor model permanently, right-click the actor and select Delete. 

• To delete a group of actors permanently, right-click the actor group and select Delete. 


Leveraging Actor Data Using Variables 

You can create a local or global variable that focuses just on actor base and list fields. This enables you 
to make a specific value derived from actor data available for use in actor-related resources: actor field 
sets, actor queries (used both in reports, query viewers, and trends), and actor channels. 

Note: Use of velocity expressions is not supported in actor fields and in local or global variables for 
actor fields. 


Creating an Actor Global Variable 

Variables derive particular values from existing data fields. The global variables feature enables you to 
define your variables only once, and then re-use it in multiple places wherever conditions can be 
expressed. Global variables work with the actors feature so you can build user correlations. 
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To create an actor global variable: 

1. Launch the global variable editor: In the Navigator panel, goto Field Sets. On the Fields & Global 
Variables tab, right-click a group and select New Global Variable. 

2. In the Attributes tab, give the global variable a name, and specify Actor Global Variable as the 
variable type. 

For details about the fields in the Global Variable Editor Attributes tab, see "Global Variable Editor: 
Attributes Tab" on page 557. 

3. In the Parameters tab, specify the parameters you want to set for the actor global variable. 

a. In the Function field, select a category, then a function appropriate for the data you want to 
extract from the actor fields. 

b. In the Arguments section, select the fields or resources to which you want to apply the 
function. Enter the other relevant arguments for that function. 

c. Totest the result returned by the parameters you selected, entertest values and click 
Calculate to test the results of the actor global variable. 

4. In the Local Variables tab, you can optionally add a local variable to the actor global variable, 
which will extract a value from afield that you want to use in the overall actor global variable. 

For details about how to create a global variable using the global variable editor, see Creating or 
Editing a Global Variable" on page 556. 

For details about the functions available to local and global variables, see "Variable Definition Fields" 
on page 1071. 


Creating an Actor-Based Variable in Another 
Resource 

Actor-based variables are only applicable to Actor-based resources. You can add a local variable based 
on an actor field to the following resources: 

• Actor active channels 

• Field sets 

• Global variables 

• Queries (available to reports, trends, and query viewers) 
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To create actor-based local variables: 

1. In the resource editor Local Variables tab, click Add. 

2. In the Add Local Variable dialog: 

a. Enter a name for the local variable 

b. Select a function that is compatible with the actor field whose values you want to leverage in 
the variable 

c. In the Arguments section, select fields and add values relevant to the actor data you want to 
leverage 

d. In the Preview section, enter test values and click Calculate to test the results of the actor 
global variable. 

e. Click OK. 


Creating and Using Category Models 

After you have actor information created, you can make logical groupings to represent relationships 
among actors and actor attributes using category models. 

Category models can reflect direct actor relationships, such as reporting hierarchies, or relationships 
between actors who share common attributes, such as actors in a particular location. For reporting 
hierarchies, your model can consist of a top-to-bottom structure (by Manager), or its reverse (by 
Assistant). Category models can also reflect relationships between actors using custom attributes 
defined by the user. 

You can use category models to visualize these relationships, then leverage the data gathered in them 
using the HasRelationship function in local and global variables. 


Memory Recommendations for Using Category 
Models 

Category models can be resource intensive on run-time processing memory, depending on the size of 
your actor model and the nature of the relationships you are modeling. For best results, adjust Java 
Heap Memory Size in the Console setup script to at least 1 GB. 

To adjust the Java Heap Memory Size on the Console: 

1. If running, close the Console. 

2. In the directory <ARCSIGHT_HOME>/bin/ scripts/, make a backup of the Console startup script 
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file: 

■ Windows: console.bat 

■ Unix: console. sh 

3. Open the Console startup file (console.bat or console, sh) in a text editor, and change the 
default maximum heap size value from -Xmx512m to -Xmsl024m. 

For example (value to change is highlighted): 

For Windows: 

Change the line 

set ARCSIGHT_:VM_0PTI0NS=-Xms64m -Xmx512m -XX : MaxPermSize=84m - 
to 

set ARCSIGHT_:VM_0PTI0NS=-Xms64m -Xmxl024m -XX:MaxPermSize=84m - 

For Unix: 

Change the line 

ARCSIGHT_:VM_OPTIONS="-Xms32m -Xmx512m -XX : MaxPermSize=84m " 
to 

ARCSIGHT_:VM_OPTIONS="-Xms32m -Xmxl024m -XX : MaxPermSize=84m " 

4. Save the updated Console startup file. 

5. Restart the Console. 

Creating Category Models 

You can create three types of category models depending on the type of relationships you want to 
represent: 

• Actor-to-actor. Actor-to actor category models establish direct or indirect relationships between 
actors themselves, such as reporting hierarchies. This category model is also called a dual-field 
category model. 

• Model by actor attributes. Actor attribute category models are a way to group actors who share 
one base actor attribute in common, such as location, department, or country. This category model 
is also called a single-field category model. 

• Model by user-defined attributes. User-defined category models are a way to group actors who 
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share one or more attributes that are outside of the schema, for example, users who come in on 
Saturdays, users who play racquetball, or users who take public transportation. This category 
model is also called a manually-created category model. 


Caution: Manually-created category models will not be included in an export of the actor 
resource. For more information about exporting resources, see "Creating or Editing Packages" 
on page 694. 


To create a category model: 

1. In the Navigator panel, goto Actors and click the Category Models tab. 

2. Right-click an existing group and select New Category Model. 

3. In the Category Model Editor’s Inspect/Edit panel, name the category model, select its type, and 
select the fields by which you want it to model. For details about what fields to populate for the 
type of category model, see the following topics: 

■ "Creating Actor-to-Actor Category Models" below 

■ "Creating Actor Attribute Category Models" on page 773 

■ "Creating User-Defined Category Models" on page 775 

4. Depending on the type of category model you create, use the Data tab to view the members of the 
category model, or use the Attributes tab to define the attributes by which you want to model 
users. 

5. Optional: To add information in the Notes tab, refer to Using Notes" on page 57. 

6. Click OK to save the category model and close the editor, or click Apply to save the category 
model and leave the editor open. 

Creating Actor-to-Actor Category Models 

Actor-to-actor category models establish direct or indirect relationships between actors themselves, 
such as reporting hierarchies. The categorization is based on what data you want to track using the 
Parent Field, and how to look up the actors for populating the model through the Child Field. 

When creating actor-to-actor category models, enter the following values in the Attributes tab of the 
Category Model editor: 
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Actor-to-Actor Category Model Attributes 


Attribute 

Field 

Description 

Name 

Enter a name for the category model. This name will appear in pick lists and wherever 
category models can be referenced in conditions. Spaces, underscores, and hyphens 
are allowed. 

Create From 

Use the Create From field to select the type of category model. 

For an actor-to-actor category model, select Actor Fields. After the category model 
is saved, this field becomes read-only. 

Field Set 

By default, the system uses the Actor Base field set, because only actor-based fields 
are relevant for category models. You can also select a user-defined actor field set. 

The field set selected here defines the fields available for the parent and child field 
choices and defines the columns available for the table below the graph view (for 
more about the graph view, see "Viewing Category Models in Graphs" on page 778). 

After the category model is saved, this field becomes read-only. 

Relationship 

Name 

Use this optional field to describe the relationship you want the category model to 
show. 

For example, if you want the category model to show managers and their direct 
reports, you could enter Direct Report to identify the relationship between the 
manager and the direct report. 

The value you enter here appears as a mouse-over tool tip on the relationship lines 
that connect the parent and child fields in the category model graph view. 

Parent Field 

This field enables you to establish which Actor data field to use to build a hierarchy of 
relationships. 

From the drop-down menu, select Manager or Assistant as the parent field. 

For example, if you are building an actor-to-actor category model that shows top-down 
reporting relationships, select Manager to produce a category model of every 
manager identified in your IDM data. The resulting model displays managers at the 
top. 

A Parent Field of Assistant displays an inverted hierarchy with lower-level actors 
appearing at the top. 

Note: Only the Manager and Assistant fields are supported for the Parent Field when 
building actor-to-actor category models. 
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Actor-to-Actor Category Model Attributes, continued 


Attribute 

Field Description 

Child Field 

In Child Field, the UUID (or DN, if used) is the unique identifier the system uses to 
look up the actors and populate members who are related to Parent Field. 

From the drop-down menu, select UUID or DN as the unique identifier to correctly 
determine who the members are in a particular structure. (DN is specific to the Active 
Directory IDM.) 

Note: Only the UUID and DN fields are supported in the Child Field when building 
actor-to-actor category models. 

For example, if you selected Manager in the Parent field, and the actor’s Manager 
field is populated by a UUID value, then select UUID as the Child Field here. 

Likewise, if the actor’s Manager field is populated by the DN value, then select DN 
here. The following example scenario explains how the category model is created 
based on the Parent Field and Child Field values. 

Example scenario: 

Assuming you are building an organizational chart with managers at the top node: 

. Actor A has a UUID = 1234. ActorA is the manager of Actor B and ActorC. 

. Actor B and Actor C’s values for Manager = 1234, which corresponds to Actor A’s 

UUID. 

. In building this category model, use Parent Field = Manager and Child Field = 
UUID. The Manager looks upActorB and ActorC’s Manager field, which has 

Actor A’s UUID. It then creates Actor B and ActorC under Actor A in the resulting 
category model. 

Delimiter 

The delimiter field does not apply to the actor-to-actor category model. 


For a description of the data that goes in the Common section, see ' Common Resource Attribute 
Fields" on page 685. 


Use the Data tab to view the members of the group in tree form. 


Inspect/Edit 

Category Modekorg chart 


Attributes Data 

Notes 



S Josh Meerkat 

\ Jujube Latte 
\ Jem Stone 
\ Jamba Laya 
\ Jared Binks 
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You can also view the group hierarchy in a resource graph. Right-click the category model and select 

View Category Model. For details, see "Viewing Category Models in Graphs" on page 778. 

Creating Actor Attribute Category Models 

Actor attribute category models are a way to group actors who share one base actor attribute in 
common, such as location, country, or any actor attribute that can possibly have a hierarchical 
groupings. 

When creating actor attribute category models, enter the following values in the Attributes tab of the 
Category Model editor: 

Actor Category Model Attributes 


Attribute 

Field 

Description 

Name 

Enter a name for the category model. This name appears in pick lists and wherever 
category models can be referenced in conditions. Spaces, underscores, and hyphens 
are allowed. 

Create From 

Use the Create From field to select the type of category model. 

For an actor attribute category model, select Single Actor Field. After the category 
model is saved, this field becomes read-only. 

Field Set 

By default, the system uses the Actor Base field set, since only actor-based fields are 
relevant for category models. You can also select a user-defined actor field set. 

The field set selected here defines the fields available for the parent and child field 
choices, and also defines the columns available for the table below the graph view (for 
more about the graph view, see "Viewing Category Models in Graphs" on page 778). 

After the category model is saved, this field becomes read-only. 

Relationship 

Name 

Use this optional field to describe the relationship you want the category model to 
show. 

For example, if you want the category model to show employees by location, you 
could enter Location to identify the relationship between the actor and the group he is 
associated with. 

The value you enter here appears as a mouse-over tool tip on the relationship lines 
that connect the actor and the attribute they’re being modeled by in the category 
model graph view. 

Parent Field 

From the drop-down menu, select the attribute that you want to model the users by. 

For example, if you are building an actor attribute category model that categorizes all 
the actors by their location, select Location. 

Child Field 

The child field does not apply to single-actor field category models. 
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Actor Category Model Attributes, continued 


Attribute 

Field 

Description 

Delimiter 

Enter the delimiter you used in the actors’ Delimiter attribute. The default is the 
forward slash (/). 


The Delimiter is used to denote the hierarchy of values, from top to bottom, in the 
attribute you are tracking in Parent Field. 


Example scenario: 


. Actor A has Location = /USA 


. Actor B has Location = /USA/California/Mountain View 


. Actor C has Location = /USA/California/Mountain View 


The delimiter used to denote a hierarchy is /, therefore, in the category model editor, 

set Delimiter = /. 


The resulting resource graph produced by these values has three levels: USA, 
California, and Mountain View. 


Tip: A combination of delimiters builds a hierarchy if one is found 

If the attribute from which you are creating the category model contains multiple values with more 
than one type of delimiter, for example, a URL, such as 

http : //www . greatcompany . com 

include all the delimiter characters in the Delimiter field. For example: 

://. 

This indicates that the dot (.) is the delimiter used to separate all the elements of the URL into the 
following hierarchy: 

http 

WWW 

greatcompany 

com 

For a description of the data that goes in the Common section, see " Common Resource Attribute 
Fields" on page 685. 

Use the Data tab to view the members of the group in tree form. 
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Inspect/Edit 

Category Model [location chart 

| Attributes | Data [ Notes | 

bQus 
B £3 CA 

1 MountainView 

V A Banderas 
'■■■■■ J A Assante 



Based on the hierarchical relationship in the example above, the value for the two actors’ Location field 
is entered as /US/CA/MountainView. 

You can also view the group hierarchy in a resource graph. Right-click the category model and select 

View Category Model. For details, see "Viewing Category Models in Graphs" on page 778. 

Creating User-Defined Category Models 

User-defined (or manually-created) category models are a way to group actors who share one or more 
attributes that are outside of the actor schema, for example, users who come in on Saturdays, users 
who play racquetball, or users who take public transportation. 

The user-defined groupings can be created in hierarchical fashion. For example, users to who take 
public transportation can be further classified into those who take the train, those who take the bus, and 
those who take a ferry. For user-defined category models, the hierarchy evaluation is based on the 
actor’s UUID value. 

1. When creating category models based on user-defined attributes, enter the following values in the 
Attributes tab of the Category Model editor: 


Attribute 

Field 

Description 

Name 

Enter a name for the category model. This name will appearin pick lists and 
wherever category models can be referenced in conditions. Spaces, 
underscores, and hyphens are allowed. 

Create From 

Select the type of category model from this field. 


Fora user-defined attribute category model, select Manually. After the category 
model is saved, this field becomes read-only. 
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Attribute 

Field 

Description 

Field Set 

By default, the system uses the Actor Base field set, since only actor-based 
fields are relevant for category models. You can also select a user-defined actor 
field set. 


The field set you select here defines the columns available for the table that 
appears below the graph view (for more about the graph view, see "Viewing 
Category Models in Graphs" on page 778). After the category model is saved, 
this field becomes read-only. 

Relationship 

Name 

Use this optional field to describe the relationship you want the category model 
to show. 


For example, if you want the category model to show actors who take different 
types of public transportation, you could enter Commutes By to identify the 
relationship between the actor and the group he is associated with. 


The value you enter here appears as a mouse-over tool tip on the relationship 
lines that connect the actor and the attribute they’re being modeled by in the 
category model graph view. 


Parent Field, Child Field, and Delimiter don’t apply to this category model. 

2. For a description of what to enter in the Common fields, see Common Resource Attribute Fields" 
on page 685. 

3. Use the Data tab to define the attributes by which you want to group users, and to add actors to 
the category model. 

For example, if you want to create a hierarchy of users that take different types of public 
transportation, do the following: 

a. In the Category Model editor at the Data tab, click New Group. 

The name of the new group is automatically highlighted so you can give it a relevant name, for 
example, Public Transportation Commuters. Press the Enter key to save the new name. 

To rename a group at any time, right-click the group and select Rename; or click the Rename 
button. After entering the new name, press Enter. 

b. Add actors to the category model group. You can add actors from the Navigator panel and from 
an actors channel in the Viewer panel. 

From the Navigator panel: Drag and drop actors from the navigator panel into the category 
model group. You can drag and drop multiple actors at a time. 
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From an Actors channel in the Viewer panel: You can view any group of actors in an actors 
channel in the Viewer panel. An actors channel is the only way to view groups with 1,000 or 
more members. Select the actors you want to add to the category model group, right-click, and 
select Add to Category Model. 

o To select multiple actors in a row, use shift + click. 


o To select multiple actors out of sequence, use Ctrl + click. 

c. To create a sub-group of the first group, such as Train Commuters and Bus Commuters, click 
New Group again. You can also right-click the existing group (or right-click anywhere in the 
editor panel and select New Group. 


° By default, the new group is made a child of the first group. 

° You can make the new group a parent group by dragging and dropping it to the desired 
location, or click Move Out (or right-click the group and select Move Out). 

o You can make a parent group the child of another by dragging and dropping the group to the 
desired location, or click Move In (or right-click the group and select Move In). 


Inspect/Edit 


£j ? X 


□V. Category Model: Commuters 


Drag and drop Actors from the Actor navigator to assign them to groups. 


Attributes Data Notes 


B-Q Commuters 
G=HE3 Carpoolers 

\ Jujube Latte 
J Jem Stone 
^ Jared Binks 
- Mass Transit 

^ Josh Meerkat 
: & Jamba Laya 



Renam 



o You can have unlimited parent and child nodes. 

4. View the category model in a resource graph. Right-click the category model and select View 
Category Model. For more about viewing category models as graphs, see 'Viewing Category 
Models in Graphs" on the next page. 


Managing Category Models 

To edit a category model: 

1. In the Navigator panel, double-click the category model to open the Category Model editor. Or 
right-click the category model and select Edit Category Model. 
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2. Make edits to the category model attributes. 

3. Click OK to save the category model and close the editor; or click Apply to save but leave the 
editor open. 

For details about the category model fields for the different types of category models, see 

"Creating and Using Category Models" on page 768. 

To copy or move a category model: 

You can move or copy a category model the same way you move or copy any resource. 

1. In the category model resource tree, navigate to an asset and drag and drop it into another group. 

2. Choose Move to move the category model, Copy to make a separate copy of the category model, 
or Link to create a copy of the category model that is linked to the original category model. 

If you choose Copy, you create a separate copy of the category model that will not be affected 
when the original category model is edited. If you choose Link, you create a copy of the category 
model that is linked to the original asset. Therefore, if you edit a linked category model, whether 
the original or the copy, all links are edited as well. When deleting linked category models, you can 
either delete the selected category model or all linked category model copies. 

To delete a category model: 

1. In the Navigator panel, right-click the category model and select Delete Category Model. 

2. At the confirmation dialog box, click Delete. 


Viewing Category Models in Graphs 

To fully visualize a category model, view it as a graph. Category model graphs are very similar to 
resource graphs, only instead of modeling relationships among all resources, category model graphs 
render relationships among attributes of actor resources. 

To view the category model graph: 

In the Navigator panel, right-click a category model and select View Category Model. 

The Viewer panel displays the graph. By default, all top-level nodes are displayed in collapsed form. To 
expand the nodes, click the plus (+) sign. 
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Working with category model graphs: 

The category model graphs are displayed on the Viewer panel. As with all resource graphs, There is a 
set of command buttons at the top of the view and a parallel set of commands available by right-clicking 
the graph itself. 

The table below shows the Category Model Toolbar Buttons and Right-click Commands. 


Category Model Graph Options 


Command Button Description 

Fit Content 

a 

Size the model to the available display space. 

Zoom 1 n / 

Zoom Out 


Increase or decrease the size of the displayed model. 

The system is optimized to show the entire category model graph in the 
available space of the viewer panel. If a category model has many nodes 
and members, its elements can appear very small. To zoom in, click the 
zoom in icon (+ magnifying glass). To zoom out, click the zoom out icon (- 
magnifying glass). 

Zoom 

Selected 

m 

Zoom in on a selected portion of the model. 

Hierarchic 

Layout 


Present nodes in a vertically descending cascade, similar to a family tree. 
Hierarchic layouts are appropriate when viewing event relationships that 
have a common root. 

Organic 

Layout 

Si 

Display nodes in an arrangement based on minimum edge length, which 
tends to cluster nodes that relate to a common node. Likewise, node 
clusters with nodes in common will also tend to group together. 

Circular 

Layout 


Position nodes in hub-and-spoke arrangements with each node radiating 
edges to, or receiving edges from, the nodes with which it interacts. 

Circular layouts are most useful when multiple roots are present or there 
are a number of source-target relationships to clarify. If an organic layout is 
difficult to read because the edges are too dense, try a circular layout 
instead. 
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Category Model Graph Options, continued 


Command Button Description 

Orthogonal 

Layout 


Arrange nodes on the basis of logical connections, using electrical 
schematic-style right-angle layouts. These layouts are very useful for 
clearly tracing connections and identifying node clusters. 

Overview 

IS 

Open a reduced rendering of the entire graph. You can drag the highlighted 
section in the reduction to move the displayed area in the main view. 

Hierarchy 

Tree 

S 

Open a complete list of the nodes as seen on the category model editor’s 
Data tab. Click a node in the list to scroll to that node in the main view. 

Print 

M 

■TT* 

Print the displayed model. 

Export to 
JPEG 


Create and save a JPEG-format copy of the current image. 

Add Graph 
View to 

Case 

@ 

Add the current graph view to a case you select. 

Choosing this option opens the Case Selector dialog, where you can 
browse cases. Select a case to which to add the current graph view and 
click OK on the Case Selector dialog. The graph view is added to the 
selected case as an attachment, accessible on the Attachments tab in the 
case editor for that case. 

Help 

W 

Display the relevant Console online Help topic. 

Expand One 

Level/ 

Collapse 

One level 


Expand all collapsed nodes to display nodes one level below. Collapse 
one level of all expanded nodes. 

This feature works only if any node was not manually expanded or 
collapsed previously. 

Plus (+) 
/Minus (-) 

O ft 

Expand or collapse a single node on the graph. 

Increase/ 

Decrease 

Node to 

Node 

Distance 


Increase or decrease distances between nodes by small increments. 

This feature works on expanded nodes. 

Single- 
person icon 


Denotes an individual actor. 

Two-person 

icon 

u 

Denotes a group of actors. 


Every time a node is expanded or collapsed, the entire category model graph re-sizes to fit into the 
available space of the viewer panel 
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Note: Actors with no value for the field used to define the category model do not appear 
in the model 

If an actor does not have a value for the field that was used to build the category model, that actor 
will not appear in the model. 

For example, if you build the category model on the Office attribute, and if an actor does not have a 
value in the Office field, that actor is not represented on the category model view. 

For more about resource graphs in general, see Visualizing Resources" on page 676. 


Leveraging Category Model Data Using Variables 

Use the HasRelationship function in local and global variables to leverage data represented in a 
category model. 

Local and global variables are available in resources that use conditions: active channels, filters, rules, 
data monitors, and queries. Local variables are available for use only in the resource for which the 
variables are defined; global variables can be re-used in multiple condition-based resources. 

To leverage data represented by a category model in a variable: 

1. Launch the variable editor. 

■ Local variable: From the channel, filter, rule, query, or data monitor editor, click the Local 
Variable tab. Click Add to launch the Add Local Variable dialog box. 

■ Global variable: In the Navigator panel, go to Field Sets. On the Fields & Global Variables tab, 
right-click a group and select New Global Variable. 

In the Attributes tab, specify Event as the variable type. 

For details about the fields in the Global Variable Editor Attributes tab, see "Global Variable 
Editor: Attributes Tab" on page 557. 

2. Select the function category Category Model and the HasRelationship function. In the 
Arguments section, select the category model whose data you want to leverage and specify the 
parent and child field or group. 


Arguments for HasRelationship Function 

Field 

Description 

Name 

When creating local variable based on category model data, provide a friendly 
name for the variable. This name is used anywhere the variable is applied (CCE, 
resource field selectors). 
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Arguments for HasRelationship Function 

Field Description 

Function 

From the Function drop-down menu: 

a. Select the category Category Model. 

b. Select the function HasRelationship. 

c. Click OK. 

Category 

Model 

Browse to and select the category model from which you want to leverage data. 

Parent 

Field or 
Group 

Navigate to the field or single-value variable you want to use as the parent. Use the 
Field/Group drop-down to indicate whether the parent is a field (single attribute) or a 
group. 

Child 

Field or 
Group 

Navigate to the field or single-value variable you want to use as the child. 

Inherit All 

Related 

Actors 

Select true for the variable to consider all the actors in a related hierarchy. For 
example, VP > Director > Manager > direct report. 

Select false for the variable to consider only direct relationships between actors. 

For example, Manager > direct report. 


For details about working with the Global Variable editor, see "Creating or Editing a Global Variable" on 
page 556. 

For details about local variables and the functions available to both local and global variables, see 

"Variable Definition Fields" on page 1071. 
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The topics that follow provide information on resources, components, and terms used throughout the 
guide. Topics are organized alphabetically, and introduced and defined in a style meant to help you get 
more drill-down information about a term quickly and easily. Unlike a standard “glossary,” however, 
many of these topics present quite a bit of in-depth information including conceptual and reference 
material. These topics are cross-referenced (linked) extensively with the rest of the Help topics and 
vice versa. 


Access Control Lists 

ESM uses Access Control Lists (ACLs) to manage user group permissions. ACLs define which user 
groups have permissions to which resources, and to which components such as rules, reports, and 
filters. (See also "Editing Access Control Lists (ACLs)" on page 189.) 

User groups can have inspect (read) permissions, edit (write) permissions, or both. If a user group has 
inspect permissions, they can read the resource. For example, the users in the group can see the 
resource and related information through the Console. If the group has edit permissions, they can write 
to or change the resource, such as writing or editing a rule or report resource. 

Resources, too, can have inspect (read) permissions, or edit (write) permissions. Resources, like user 
groups, are managed as groups and not as individual resources. Therefore, a resource can only be 
accessed if a user group has access to the resource's group. Permission to inspect or edit resources is 
granted when the user logs in, and the resource only appears in the Console if the logged in user has 
inspect permissions. 

Note: Best practices: 

• Log out and log back in again for permission changes to take effect. 

• Whenever an administrator changes another user’s permissions, the other user should log out 
and log back in again. This ensures that the new permissions are registered with the Manager, 
and the user can see the changes. 


Resource ACLs 

Resources have ACLs to help you manage user permissions based on the resource. You can use the 
resource ACL to determine which user group can access it. You can control which user group has 
access to inspect or to edit any resource, such as rules, cases, and reports. (See also "Editing Access 
Control Lists (ACLs)" on page 189.) 

Events are also available to user groups based on resource ACLs. For example, you can control which 
user group has access to a filter by adding the group to the filter's ACL and giving them inspect or edit 
permissions. If you no longer want the group to have permissions to that filter, you can edit the group's 
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permissions or remove the group from the filter ACL. In this example, the user group listed on the filter 
ACL with inspect permissions can see events from that filter in the Console. Those without 
permissions cannot see any events from that filter. 

Note: By default, a custom user group inherits the ACL settings from the parent user group. If a 
user group has no access to any filters, it is as if the group’s specified filter in the ACL editor were 
Filters\Shared\AII Filters\ArcSight System\Core\No Events. Therefore, users from this group do 
not see any events in the following resources: 

. Active channels using event filters 

. Queries on events, and therefore query viewers and reports based on those queries 

If users need to see event data, make sure their user group has access to the applicable filters. 

See"Editing Access Control Lists (ACLs)" on page 189 for details. 

Events are also extracted from the database based on ACLs. For example, when users generate 
reports, events extracted from the database are based on ACLs. Therefore, only data that users have 
access to is retrieved and all data may not be included in the report. Report ACLs can only provide 
events if the user generating the event has the permissions to view those events. For example, if user 
group A has permissions to view events from filter A and user group B does not, user group B cannot be 
able to extract event values from filter A when running a report; the report comes back empty. 

However, since user group A does have permissions to filter A, user group A's report comes back with 
the values from filter A. 


Note: The Resource ACL display shows relationships between users and groups, and how 
permissions are acquired for each of the user groups. Child groups inherit permissions from parent 
groups. 


For example, consider the following set of ACLs for assets. 


Resource 

^1 

R 

W 

/All Users/Administrators 

/All Users/Default User Groups 



□ 

/All Users/Default User Groups/Analyzer Administrators 


□ 

0 


In this scenario, the following permissions apply: 

• A user logged in as Administrator (belonging to the group /All Users/Administrators) has read 
and write permissions by virtue of being in the Administrators group. 

. All users have read permissions because they belong to the group /All Users/Default User 
Groups by default. 

• A user logged in as an Analyzer Administrator has both read and write permissions because these 
are inherited read permissions from the parent group (/All Users/Default User Groups) and get 
write permissions per the Analyzer Administrators child group 
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Active Channels 

Almost all event-related views are active channels. Also, several types of resources related to assets 
and cases are shown as active channels. 

Rather than simply flowing events through as received, or capturing a fixed set of events for replay, a 
channel is in effect a live, on-going event query. Because it is continually re-evaluated, the set of 
events collected in a channel can continue to change (due to reporting latency), even when defined with 
a fixed time-bracket. 

In other words, active channels are definitions for collections of events; definitions that are always 
freshly re-evaluated so the resulting sets are as valid as the data received up to that moment. Because 
the active channel continuously refreshes with live events, you should not use an active channel to 
track event counts because these counts vary across different timeframes. On the other hand, a replay 
channel’s event count is based on that specific replay session (with the specific sessionID). Instead of 
active channels, consider using query viewers or reports to track event counts. 

The queries that define active channels are composed, at a minimum, of time parameters; other filter 
conditions of the usual sorts can also apply. You find and use these queries in the Navigator panel's 
Active Channels resource tree. You create these definitions through the File>New>Active Channel 
command and can refine them using inline filters and the Active Channel Editor. Once defined and 
displayed, you can manipulate the order, format, and content of these views with all the familiar 
features of the Console. 

Guery viewers are provided as a quick alternative to active channels, better suited to some scenarios. 

See 'Guery Viewers" on page 323 for more information. 


Active Channel Views 

Each individual view is one rendering of an active channel, whether it is a grid view or chart view. 
Individual views are represented by the tabs you see at the bottom edge of the Viewer panel. Channels 
are represented by the tabs at the top of the Viewer panel, that group together individual views. 
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Active Channel Headers 

The channel name and statistics line appears at the top of active channel views. These statistics are 
event-severity indicators for the view. The indicators show the current number of events in the view for 
each of the priority categories. You can click these indicators to instantly filter the channel to show only 
the selected priority. 


fj$ System Events Last Hour 


® Active Channel: System Events Last Hour 

Total Events: 4,400 — 

Start Time: 15 Apr 20 15 14: 12:00 PDT 

Very High: 0 

End Time: 15 Apr 20 15 15: 13:00 PDT 

High: 0 

Filter MatchesFilter (*ArcSight Internal Events’) 

Inline Filter No Filter 

Medium: 1 

Low: 4.399 1 1 

Very Low: 0 

| Radar 

- 



The Filter status line describes the filter conditions the channel is currently using. 

The Radar display in active channel headers indicates the activity taking place in the channel, in 
graphics that represent units of time horizontally, and numbers of events in vertical bars segmented by 
Priority attribute-value counts. The time and quantity scales in the graphic automatically adjust to 
accommodate the scope of the channel. The broader the scope, the smaller the graphical units 
become. 
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You can open and close the Radar display with the Plus (+) and Minus (-) button at the right end of the 
Filter line. 

With simple gestures, you can control the contents of a grid view using its Radar display. Click, 
Shift+click, Ctrl+click, or drag to select one or more contiguous or non-contiguous bars in the display. 
You can also drag selection borders left or right to adjust a span further. The grid then shows just the 
events the selection represents. 


Comparisons 

You may want to note that the Manager handles active channel traffic through the database. This 
means that the content is persisted, but may involve processing delays that cause an active channel to 
show information later than a more direct method such as the data monitors in dashboards. 

Conversely, data monitor traffic resides only in memory and is subject to loss or abbreviation by server 
restarts. 

See the topic 'Viewing and Using Channels" on page 21 1 to learn more about active channel tasks. 

You may also want to compare active channels to active lists as analysis tools. 


Active Channel Views for Assets and Cases 

The Console shows assets, vulnerabilities, asset categories, scanner reports, and cases in active 
channels. You can leverage the power of channels for asset management, including use of filters, field 
sets, and better sorting capabilities. 


Active Lists 

You can use active lists to create a configurable data store that can hold information derived from 
events, or other sources. 

Active lists can monitor activity based on any rule-driven combination of event attributes or set of 
custom fields. For example, active lists are very useful for tracking suspicious or hostile IP addresses 
as well as targets of attacks that may be compromised. 

You can populate active lists manually when necessary (adding entries from grid views or the Active 
List Editor), or use active lists in conjunction with rules specifically tailored to work with them. Rules 
can dynamically add and remove entries on active lists, thereby making them a flexible information- 
gathering tool. 

You can now open and edit active lists in grid views. 

Active lists function differently than active channels. Active lists are not continuously re-evaluated and 
are not time-window constrained. Active lists draw from the event stream on the basis of their event or 
field/rule definitions and any rules designed to affect them. 

You can use active lists as filters in other resources that are not based on active channels, such as 
reports. 
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In addition to their integral definitions, you can apply temporary (not saved) filters to active list grid 
views. Click the status description in the Filter line in the view header to use the Common Condition 
Editor. 

Use the default items in the Active Lists resource tree for templates or for operational monitoring with 
minor modifications. For example, use the Trusted List to watch activity from known-to-be-safe IP 
sources and the Untrusted List to do the same for known unsafe sources. 

If you have Administrator access you can have another group named All Active Lists that contains all 
active list groups and lists. 

Note: For procedural information about working with active lists (including how to create, edit, 
delete, import, and export them), see "List Authoring" on page 469. 


Uses of Active Lists 

The main uses of active lists are to: 

• Maintain information, such as in the system content-provided Hostile List or T rusted List that 
maintain information on hostile and trusted IP addresses (and corresponding zones). 

• Check for the existence of particular information in lists using the InActiveList condition (see 

"Condition Tree Command Buttons" on page 866). 


Note: The InActiveList operator does not parse multi-value attributes. The InActiveList 
operator only evaluates single-value attributes, and treats multi-value attributes, such as Actor 
Account ID and Role, as single-value attributes. 


For example, when a system is compromised (such as in a security breach), it can be added to the 
compromise list using rule actions. The information in the active list can then be used to collect all the 
events that occur on the asset while it is compromised. This can be used for tracking and further 
investigation on other systems that have come into contact with the compromised system 


Active Lists for Long-Term State Retention 

Active lists can store data over a longer period of time than rules or data monitors are capable of 
retaining. For example, rules can hold a state that describes the very recent past, normally few 
minutes. Data monitors may contain up to a day’s worth of data, but data monitors usually contain 
aggregated data. 

Active Lists can answer the following question that cannot be addressed directly by rules or data 
monitors: “Has the source IP of the current event attacked one of my systems in the last 30 days?” 


Optimize Data with Hash-Based Active Lists 

A hash-based active list uses a hash function to map a set of data to a single number (a hash value). 
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To create a hash-based active list: 

• Enable the Optimize Data option on the Active Lists Attributes tab. 

• Make sure the list is set to Case-Sensitive 

See 'List Authoring" on page 469. 

The main advantage of using the hash-based active list by enabling the list’s Optimize Data option is to 
reduce memory usage. Instead of storing the complete active list entry in memory, only the hash code 
(a number), count, and last modified time are stored. The complete entry is available in the database. 
Therefore, the size of each entry in memory is constant, regardless of the number of fields and 
corresponding data types in the active list schema. 

In terms of performance, there is little or no difference between hash-based and regular active lists. 

The Optimize Data option is useful for active lists that contains a large number of entries (for example, 
more than 1 00,000 entries) or a large amount of information per entry. 

Note: There is a possibility of getting an inaccurate result from an active list that uses the 
Optimize Data option due to hash collisions. When two active list entries map to the same hash 
code, the result of the InActiveList condition can be inaccurate in some cases. However, the 
chances of two entries evaluating to same hash code are quite rare. In the current scheme, for an 
active list with 1 million entries, the chances of hash code contention are about 1 in 4,000,000. 

You can switch active Lists between optimized (hashing) and non-optimized (non-hashing) after they 
are created. 


Active List Audit Events 

Audit events are sent on the following Active List Activity. 

• Adding an entry (DEC: /ActiveList/Add) 

• Removing an entry (DEC: /ActiveList/Delete) 

• Updating an entry (DEC: /ActiveList/Update) 

• Expiration of an entry (DEC: /ActiveList/Expire) 

• Eviction of an entry (DEC: /ActiveList/Evict) 

Tip: DEC stands for device event category, an event field. For example, when an active list 
entry is added, an audit event is generated with a DEC string of /ActiveList/Add. 

You can use audit events in rules, filters, and other analytical or administrative resources. For 
more information, see Audit Events" on page 812. 
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Active List Monitor Events 

The following monitor events include Active List Usage statistics. (See "Status Monitor Events" on 
page 1048 for more information.) 

• Open Active Lists count (DEC: /Monitor/ActiveLists/ListCount) 

• Active List entry count (DEC: /Monitor/ActiveLists/EntryCount) 

• Active List entry capacity (DEC: /Monitor/ActiveLists/EntryCapacity) 

• Active List entry usage (% of capacity used) (DEC: /Monitor/ActiveLists/EntryPercentUsed) 

• Active List entry look-ups per second (DEC: /Monitor/ActiveLists/QueriesPerSecond) 

• Active List entry updates per second (DEC: /Monitor/ActiveLists/ChangesPerSecond) 

• Temporary Active Lists count (DEC: /Monitor/ActiveLists/TemporaryListCount) 

• Temporary List entry count (DEC: /Monitor/ActiveLists/TemporaryEntryCount) 

• Temporary Active List entry capacity (DEC: /Monitor/ActiveLists/TemporaryCapacity) 

• Temporary Active List entry usage (% of capacity used) (DEC: 
/Monitor/ActiveLists/TemporaryPercentUsed) 

Active Lists with Values 

An active list with values divides the set of fields into key fields and value fields. Active lists with 
values provide the following functionality: 

• Use an InActiveList condition to check the existence of an entry (using only keys or keys along 
with values). See "Condition Tree Command Buttons" on page 866 for more about applying an 
InActiveList condition. 

Note: The InActiveList operator does not parse multi-value attributes. The InActiveList 
operator only evaluates single-value attributes, and treats multi-value attributes, such as Actor 
Account ID and Role, as single-value attributes. 

• Look up value fields forgiven key field values. Keys and values can consist of one or more 
columns. 

A single key can map to a single value; for example, user name (key) to badge ID (value). 
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A single key can also map to multiple values (in a multi-map active list); for example, user name 
(key) to badge ID, first name, last name (three values). The actors resource is atypical use case for 
multi-map active lists. For example, you might map a single actor (key) to multiple roles (values). 

Variables are used to retrieve the value portion of the active list entry. 

To create an active list with values, select the Fields-based data option on the Active List editor 
Attributes tab, check Key Fields to enable a per-field Key option, and then select one or more data 
fields that must be unique. (For the complete procedure, see the topic on "Creating an Active List" on 
page 470.) 

Using Variables to Retrieve Data from Active Lists with 
Values 

To add a list field in a condition, use the variable functions described in "List Functions" on page 1079 
that can yield list values. 

When defining a variable to retrieve value information from active lists with values, be sure to specify 
these attributes for the variable: 

• Name of the variable 

• The active list to be used to retrieve values for the key 

• Field mappings (mapping of the event fields to key fields in the active list) 

For more about working with variables, see "Variables" on page 1069. 

Example: Active List with Values to Store Directory 
Information 

As an example, suppose we want to create an active list with values to store directory information. 

Create an Active List 

We follow the basic procedure to create a new active list shown in "Creating an Active List" on 
page 470. For the example, we create the active list with these options: 

• Specify Fields-based data using Key fields 

• The Key is the Username. 

• The values contain various information corresponding to the given user name. For simplicity, you 
can store only user role information. (The user role usually determines the type of actions a user can 
take, and on what type of resources.) If desired, you can store additional information such as the 
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user's First Name, Last Name, Phone Number, Email Address, and soon. 



Populate the Active List 

We can populate the list in any of various ways: 

• Manual data entry 

• Export required information from Active Directory into a CSV file, and then import entries to the 
active list from the CSV file 

• Use Active Directory User Group Puller tool 

• Use event-based integration or other tools 

Correlate Information Stored in UserRoles List 

Once the Active Directory information is populated to an active list with values, we can access and 
correlate the user information using reports, rules, active channels, data monitors, and so on. The 
details of the correlation logic are as follows. 

Create a Rule: 

For this example, we choose a rule that does the following: 
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• Looks for events that update some critical database information 

• Checks if the target user had privilege to perform the operation using the Active Directory User Role 
information, maintained in the active list 

(For more information on creating rules, see "Creating or Editing Rules" on page 495 and "Rules 
Authoring" on page 493.) 


Use Variable to Get Role Information: 


For the database update events, we can get the corresponding Active Directory role information using 

the GetActiveListValue variable. 


* 


Inspect/Edit 



22 
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Set Conditions to Check Role Permissions: 

Once the role information is retrieved, we can check if the user has the role required to perform this 
operation. If the user does not have the required role, then the rule is triggered to alert the administrator 
to the unauthorized access. 



Take Action Based on Results of Permissions Check: 

If the user does not have required role, then rule can trigger and alarm the administrator regarding this 
unauthorized access. (This is configured on the Actions tab.) 


Administrator 

An administrator is a person who has the rights to administer ArcSight and manage users, groups, and 
their permissions. 

See also "Users" on page 1067, "UserTypes" on page 1068, "Managing Users" on page 180. 


Advanced Editor 

An Advanced Editor is available to accommodate special requirements based on context for providing 
input to various fields, conditions, or other values. The Advanced Editor provides different features, 
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depending on the context in which it is called or used in the Console. 

Typically, the Advanced Editor shows up during edit operations in the 'Common Conditions Editor 
(CCE)", "Rules Editor" (for example, editing rule actions), and Variables" editors, but it might show up 
in other contexts also. 

Here are just a few examples of some of the contexts and features the Advanced Editor provides. 


Enable multi-line input. Advanced editors provide an option to enter multi-line input for rule action 
triggers, event field values in the common conditions editor (CCE), and so forth. 


* 


u 


When: OnEveryEvent 
Set EventField 



Provide calendars and times. 
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• Choose afield set from a list. 



Aggregation 

Aggregation is a composition technique for building a new event from one or more existing events that 
support some or all of the new event's conditions. 

You use aggregation to group occurrences of matching conditions based on incoming event field data 
values, and optionally count only distinct occurrences of those events. To support that, the Console 
provides Group By aggregation, in which you can group (aggregate) correlated events by field values. 
You can also optionally include distinct-value event processing combined with either join conditions 
and/or event grouping, to provide further constraints on when rules should fire. 

Rules always run subject to their associated aggregation parameters, even if only the defaults. For 
more information, see "Specifying Rule Thresholds and Aggregation" on page 51 1 . 

The aggregated event count\s a derived event field available in the "Event Inspector", the "Common 
Conditions Editor (CCE)", and shows up in various data monitors (for example, "Moving Average Data 
Monitor"). The aggregated event count is described with the Event Group data fields under "Data 
Fields". 
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ArcSight Console 

The Console is a graphical user interface that provides centralized intelligent real-time monitoring to 
secure your enterprise. 

Console settings consist of your color selections, preferences, temporary filters, window sizes, and so 
on, and are saved in a . ast file. The current setting file you are using is displayed in the Console title 
bar (by default, machine : username . ast). You can perform operations to save or load .ast files stored 
locally, on the same machine where the Console is installed, on save or load . ast files stored and 
maintained by the Manager. After settings are saved in a file, the .ast file is listed in the File menu. The 
File menu lists the last four .ast files that have been accessed. 

Concerning Console-Manager connections, you may want to note that while each Manager connects to 
many Consoles, each Console connects to only one Manager. Also, when a Console is connected to a 
Manager, it affects only that Manager, regardless of how that Manager may be linked within a larger 
Manager hierarchy. 

If you are viewing various articles, information, reports, or command results in a Web browser, see the 
Support Matrix applicable to your ESM version for a list of supported browsers. 

See related topics "Working in the Console" on page 40 and "Personalizing the Console" on page 76. 


Assets 

Assets are network devices, installed throughout your enterprise, that you monitorfor vulnerability or 
attack. Once asset information is stored, ESM tracks your assets and notifies you if they are exposed 
to a threat or vulnerability, or if they are attacked. 

Within the Navigator panel's Assets resource tree there are a number of views of associated 
information. The Assets, Networks, Zones, Locations, Categories, and Vulnerabilities tabs each show 
different aspects of the devices in question. 

When, how, and why you might need to modify the resources in the Assets tabs is described in 
Managing Assets and Associated Resources, and particularly in Changing Assets. 

The Console shows assets, vulnerabilities, asset categories, scanner reports, and cases in active 
channels rather than static grid views. Leverage the power of channels for asset management, 
including use of filters, field sets, better sorting capabilities, and dynamic display of an unlimited 
number of items that is continually updated. 

What the Assets tabs contain is described below. 


Assets Tab 

This view shows the population of your network as discreet entities with specific IP addresses and 
unique MAC and host names. You often use this view to pinpoint a particular asset, then double-click it 
to change its characteristics and associations in the Asset Editor. The presentation is hierarchical and 
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shows only the assets to which you have access through the Asset Editor. Note that you can also 
identify mobile assets by MAC address. 

Because the usage (Zones) and descriptive (Categories) views are separate, the Assets view is free to 
accurately describe the access restrictions that apply to a given user. 

The Internet Address Range asset category has its own Asset Range Editor. The address range 
groups are standard spans of IP addresses provided as a convenience for your use in rules. You can 
also collectively reference these ranges using the named networks on the Zones tab. For example, a 
rule could reference the Dark Address Space item under System Zones to identify a category of source 
IP addresses from which traffic should not legitimately originate. 

The Asset, Zone, and Asset Range Editors all include Categories and Zones tabs for editing these 
attributes. 

The Asset Editor has an Alternate Interfaces tab. When a single device has multiple network 
interfaces, you can define each interface as an independent asset. Common examples of multiple 
interface devices are network connection points such as routers and bridges. To use this editorfrom an 
appropriate asset in the tree, right-click it and choose View Asset Alternate Interfaces. 

An asset or asset range (or its group) can belong to only one zone or location. 


Zones Tab 

The Zones tab shows the hierarchy of network-related logical (usage) groups into which assets are 
collected, and on which you can act through the Zone Editor. 

You can also think of zones as aliases for portions of your network that are dedicated to certain 
organizational groups or functions. The Zones view can help disambiguate multiple private networks 
that might have overlapping address spaces. 

When the zones in your enterprise are referencing multiple global or local zones, ArcSight networks can 
help disambiguate erroneous address space overlaps or gaps, especially for SmartConnectors. A zone 
or zone group can belong to only one network or location, and expresses a single contiguous address 
range. 


Networks Tab 

Here you can view the hierarchical collection of network entities recognized within your system. In this 
context, a network is an enterprise-level registry of ArcSight zones. Networks are used to reconcile 
overlapping or missing asset ranges among zones (if they should erroneously occur). When networks 
are present, SmartConnectors use them to find their correct zone assignments. Note that networks 
apply only in enterprises that have networks broad enough to require multiple local or global maps. If 
your enterprise maps only its own address space (meaning that overlaps and gaps aren't likely) the 
Networks tab won't be populated. 

Each Network resource can relate to only one Customer resource, but to multiple Zones, provided 
address ranges do not overlap. 
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Categories Tab 

The hierarchy of asset categories provides a way to reference assets by means of their application or 
context. A given asset can be associated with multiple categories. 

Asset categories are a cross-referencing capability that supports numerous business objectives. By 
making it possible to track network activity with certain assets on the basis of their business 
significance, data collection becomes possible; but just as importantly, other ArcSight analytical tools 
can also be brought to bear to derive many kinds of information. Finally, reporting capabilities can 
further analyze and permanently record the results. 

The categories for a given enterprise are often quite specialized, but certain categories are usually 
present, even if customized. 

Typical high-level asset categories often include: 

• ArcSight System Administration: These assets include its Console, Databases, 
SmartConnectors, and Managers. The system automatically detects its own administrative assets 
and creates these entries in their respective groups. 

• Site Asset Categories: These can be general monitoring categories such as Address Spaces, 
Applications, or Open Ports, but may include asset-tracking categories that are specific to issues 
such as business impacts and regulatory compliance. Business impacts might analyze the activity 
of a server that supports a particular product line. Regulatory compliance could monitor groups of 
workstations for HIPAA conformity. 

• System Asset Categories: These can be any of a number of categorizations of assets such as 
Criticality (low, medium, high, very high), which would monitor by a classification of how crucial 
assets are to the enterprise. 


Note: SmartConnector configuration also affects the ability to automatically create the assets 
that represent network devices. Each SmartConnector needs to report an IP address or 
hostname for its sensor so its events can be identified on the network. See the configuration 
guides for your SmartConnectors to ensure they are reporting this information. 


Vulnerabilities Tab 

The Vulnerabilities tab presents known vulnerabilities associated with the devices identified through 
the Assets tab. 

Device vulnerabilities are presented as closely as possible with device descriptions to facilitate useful 
comparisons and easy reference 
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Locations Tab 

The Locations tab shows the hierarchy of names your enterprise uses for its physical or geographical 
domains. 

Similar to zones, you can think of locations as another type of alias. You use this alias for portions of 
your network that are referenced by where they are rather than by organizational group or function. A 
given asset or asset range can be associated with only one location, but a given location can be 
associated with any number of appropriate assets, zones, or their groups. 


Asset Auto-Creation 

As described in "The Network Model" on page 99, ESM automatically creates assets for components 
and, if applicable, for assets arriving from scan reports sent by vulnerability scanners via scanner 
SmartConnectors. 

As a configuration option, you can also configure the creation of assets for devices reporting through 
SmartConnectors. 

This section describes in detail how assets are automatically created from vulnerability scan reports 
and, if so configured, for devices reporting through SmartConnectors. All of the default behaviors 
described in this section can be customized by changing settings the server . properties file. For 
details, see "Asset Auto-Creation Advanced Configuration Options" on page 808. 

Topics include: 

• "Creating Assets from a Vulnerability Scan Report" below 

• "Creating Assets for SmartConnectors" on page 802 

• "Creating Assets for Network Devices" on page 805 

• "Asset Names" on page 807 

• "Asset Auto-Creation Advanced Configuration Options" on page 808 


Creating Assets from a Vulnerability Scan Report 

Assets are created from vulnerability scan reports differently for dynamic and static zones (for more 
about dynamic and static zones, see "The Network Model" on page 99). 

Tip: Scanner reports list only information received through the scanner, whereas Asset Editors 
include the full list of both scanner data and vulnerability mappings stored in the system. So, the 
Editors might show more or different information than that shown in scanner reports. 
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Creating Assets from a Vulnerability Scan Report for Static 
Zones 

For assets in static zones, you need at least an IP address or a host name to create an asset. Asset 
identifiers are looked up in the following order in a static zone: 

• MAC address > IP address > host name 

The table below describes the action taken based on available IP and host name information. 

Vulnerability Assets in Static Zones 


Example 

Action taken if no conflicts 

Action taken if previous asset with 
similar information 

IP=1. 1.1.1 

Asset created 

Previous asset updated 

hostname=myhost 



IP=1. 1.1.1 

Asset created 

Previous asset updated 

hostname=nuli 



IP=nu!l 

Asset created 

Previous asset updated 

hostname=myhost 



IP=null 

hostname=null 

Asset not created. Either IP or host 
name is required. 

No action taken. Either IP or host name 
is required. 


Creating Assets from a Vulnerability Scan Report for 
Dynamic Zones 

For assets in dynamic zones, assets are identified by IP address and host name and/or MAC address. 
Asset identifiers are looked up in the following order in a dynamic zone is: 

MAC address > host name > IP address 

By default, assets are not created in a dynamic zone if there is no host name present. The property set 
by default is: 

scanner-event . dynamic zone .asset . nonidentif iable . create=false 

Also by default, previous assets with similar information are discarded. This ensures that the network 
model is kept up to date with devices that are actively reporting events. The default property is set like 
this: 

scanner-event . dynamic zone .asset . ipconf lict . preserve=false 
Below are the actions taken by default. 
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Vulnerability Assets in Dynamic Zones 

Example Action taken if no conflicts 

Action taken if previous asset with 
similar information 

IP=1. 1.1.1 

hostname=myhost 

mac=0123456789AB 

Asset created 

Previous asset deleted 

ip=1. 1.1.1 

hostname=myhost 

mac=null 

Asset created 

Previous asset deleted 

ip=1. 1.1.1 

hostname=null 

mac=0123456789AB 

Asset created 

Previous asset deleted 

ip=1. 1.1.1 

hostname=null 

mac=null 

Asset not created. Either host 

name or MAC address is 
required. 

Asset not created. Either host name or 

MAC address required. Previous asset 
deleted. 

ip=null 

hostname=myhost 

mac=null 

Asset created 

Previous asset deleted 

ip=nuli 

hostname=null 

mac=0123456789AB 

Asset created 

Previous asset deleted 

ip=null 

hostname=myhost 

mac=0123456789AB 

Asset created 

Previous asset deleted 


You can configure the system to create an asset if the asset has either an I P address or a host name, 
or to preserve previous assets with similar information by customizing settings in server, properties. 
For details, see "Asset Auto-Creation Advanced Configuration Options" on page 808. 


Creating Assets for SmartConnectors 

ESM auto-creates assets for the ArcSight SmartConnectors connected to it. Creating assets for 
SmartConnectors is affected by the following conditions: 
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• ESM does not create an asset if there is no Network defined for the SmartConnector. This could 
happen if a SmartConnector is added incorrectly, or if an unforeseen condition occurs, such as a 
database corruption. If you do not specify a Network for the Connector during setup, ESM uses the 
default RFC1918 system zones. 

• ESM does not create an asset unless the event is a base event: that is, an event generated by the 
device whose events the SmartConnector represents. For example, ESM creates an asset for the 
SmartConnector if the event is a firewall event, but it does not create an asset for the 
SmartConnector if the event is an ArcSight internal event, such as heartbeat events with the 
Manager. 

• ESM does not create an asset for the SmartConnector if the Connector Asset Auto Creation 
Controller filter (at /All Filters/ArcSight System/Asset Auto Creation/Connector Asset 
Auto Creation Controller) is specially configured to exclude traffic from assets in this zone. 

If the Connector Asset Auto Creation Controller filter is configured to exclude Connectors in a 
certain zone, such as a zone designated for VPN traffic that comes and goes from the network, 
then ESM does not create an asset for that Connector every time VPN traffic comes in from that 
Connector. This ensures that assets are not created unnecessarily. 

For more about the Asset Auto Creation Auto Controller filter and how to configure it, refer to the 
Standard Content Guide — ArcSight System and ArcSight Administration. For information about an 
optional ArcSight Foundation, refer to the Standard Content Guide for that Foundation. ESM 
documentation is available on Protect 724 at (https://protect724.hp.com). 

Creating Assets for SmartConnectors in Static Zones 


By default, the SmartConnector auto-create function is enabled. For static zones, ESM needs both the 
IP address and host name to positively identify the SmartConnector asset. The table below shows the 
action taken when base events come in from devices involving that SmartConnector. 


SmartConnector Assets in Static Zones 

Example 

Action taken if 
no previous 
SmartConnector 

If a SINGLE enabled 

SmartConnector with the same IP 

address exists in the same zone 

If multiple 
previous 

SmartConnectors 

with the same 

name exist in the 

zone 

ip=1. 1.1.1 

hostname=myhost 

Asset created 

Existing asset is relocated to the 
zone assigned to the Connector. If 
there's an asset with the same name 
in the group, the new asset is 
renamed by adding for example, 

asset_1 . 

No asset created. 
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SmartConnector Assets in Static Zones 

Example 

Action taken if 
no previous 
SmartConnector 

If a SINGLE enabled 

SmartConnector with the same IP 

address exists in the same zone 

If multiple 
previous 

SmartConnectors 

with the same 

name exist in the 

zone 

ip=1. 1.1.1 

hostname=nul! 

Asset not 

created. Both the 

IP address and 

host name are 
required. 

Existing asset is relocated to the 
zone assigned to the Connector. If 
there's an asset with the same name 
in the group, it gets renamed. 

No asset created. 

ip=null 

hostname=myhost 

Asset not 

created. Both the 

IP address and 

host name are 
required. 

Asset not created. Both the IP 
address and host name are required. 

No asset created. 

ip=null 

hostname=nul! 

Asset not 

created. Both the 

IP address and 

host name are 
required. 

Asset not created. Both the IP 
address and host name are required. 

No asset created. 


Creating Assets for SmartConnectors in Dynamic Zones 

By default, the SmartConnector auto-create function is enabled. For dynamic zones, it first looks for a 
MAC address, then a host name to positively identify the SmartConnector asset. The table below 
shows the action taken when base events come in involving that SmartConnector. (If multiple previous 
assets with the same name exist in the zone, no asset is created.) 


SmartConnector Assets in Dynamic Zones 

Example 

Action taken if no 

previous 

SmartConnector 

If a SINGLE enabled asset with the same IP 

address exists in the same zone 

ip=1. 1.1.1 

hostname=myhost 

mac=0123456789AB 

Asset created. 

Existing asset is relocated to the zone assigned to the 
Connector. If there's an asset with the same name in 
the group, the new asset is renamed by adding for 

example, asset_1. 

ip=1. 1.1.1 

hostname=myhost 

mac=null 

Asset created. 

Existing asset is relocated to the zone assigned to the 
Connector. If there's an asset with the same name in 
the group, it gets renamed. 
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SmartConnector Assets in Dynamic Zones 

Example 

Action taken if no 

previous If a SINGLE enabled asset with the same IP 

SmartConnector address exists in the same zone 

ip=1. 1.1.1 

hostname=nuil 

mac=0123456789AB 

Asset not created. 

Both the IP 

address and host 
name are required. 

Asset not created. Both the IP address and host name 
are required. 

ip=1. 1.1.1 

hostname=nul! 

mac=null 

Asset not created. 

Both the IP 

address and host 
name are required. 

Asset not created. Both the IP address and host name 
are required. 

ip=null 

hostname=myhost 

mac=null 

Asset not created. 

Both the IP 

address and host 
name are required. 

Asset not created. Both the IP address and host name 
are required. 

ip=null 

hostname=null 

mac=0123456789AB 

Asset not created. 

Both the IP 

address and host 
name are required. 

Asset not created. Both the IP address and host name 
are required. 


Creating Assets for Network Devices 

By default, the Manager also auto-creates assets for the network devices that originate the events. 

This feature can be configured during Manager setup using the Manager Setup Wizard. 

Creating assets for devices is affected by the following conditions: 

• The Manager does not create an asset if there is no Network defined for the SmartConnector. This 
could happen if a SmartConnector is added incorrectly, or if an unforeseen condition occurs, such 
as a database corruption. If you do not specify a Network for the Connector during setup, ESM uses 
the default RFC 1918 system zones. 

• The Manager does not create an asset unless the event is a base event: that is, an event generated 
by the device whose events the SmartConnector represents. For example, the Manager creates an 
asset for the device if the event is a firewall event, but it cannot create an asset for the device if the 
event is an ArcSight internal event, such as heartbeat events with the Manager. 

• The Manager does not create an asset for the device if the Connector Asset Auto Creation 
Controller filter (at /All Filters/ArcSight System/Asset Auto Creation/Device Asset 
Auto Creation Controller) is specially configured to exclude traffic from assets in this zone. 

If the Connector Asset Auto Creation Controller filter is configured to exclude events from 
Connectors in a certain zone, such as a zone designated for VPN traffic that comes and goes from 
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the network, then the Manager does not create an asset for the device the Connector represents 
every time VPN traffic comes in from that Connector. This ensures that The Manager does not 
create unnecessary assets. 

For more about the Connector Asset Auto Creation Auto Controller filter and how to configure it, refer to 
the Standard Content Guide — ArcSight System and ArcSight Administration. For information about an 
optional ArcSight Foundation, refer to the Standard Content Guide for that Foundation. ESM 
documentation is available on Protect 724 at (https://protect724.hp.com). 

Creating Assets for Network Devices in Static Zones 


If you configured Manager setup to auto-creates assets for the network devices generating assets, it 
takes the following actions based on IP address and host name in static zones. 


Network Device Assets in Static Zones 

Action taken if no Asset with same information exists on any 

Example previous device zone related to SmartConnector 

IP=1. 1.1.1 

hostname=myhost 

Asset created. 

Move asset to a new group. If there is already 
an asset with the same name, the previous one 
is renamed. 

ip=1. 1.1.1 

hostname=null 

Asset not created. Both IP 

address and host name are 
required. 

Asset not created. Both IP address and host 
name are required. 

ip=nuli 

hostname=myhost 

Asset not created. Both IP 

address and host name are 
required. 

Asset not created. Both IP address and host 
name are required. 

ip=nuli 

hostname=nul! 

Asset not created. Both IP 

address and host name are 
required. 

Asset not created. Both IP address and host 
name are required. 


Creating Assets for Network Devices in Dynamic Zones 

If you configured Manager setup to auto-create assets for the network devices generating assets, it 
takes the following actions based on IP address, host name, and MAC address in dynamic zones. 
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Network Device Assets in Dynamic Zones 

Example 

Action taken if no Asset with same information exists on any 

previous device zone related to SmartConnector 

ip=1. 1.1.1 

hostname=myhost 

mac=0123456789AB 

Asset created. 

Move asset to a new group. If there is already 
an asset with the same name, the previous one 
is renamed. 

ip=1. 1.1.1 

hostname=myhost 

mac=null 

Asset created. 

Move asset to a new group. If there is already 
an asset with the same name, the previous one 
is renamed. 

ip=1. 1.1.1 

hostname=null 

mac=0123456789AB 

Asset created. 

Move asset to a new group. If there is already 
an asset with the same name, the previous one 
is renamed. 

ip=1. 1.1.1 

hostname=null 

mac=null 

Asset not created. Host 

name or MAC address is 
required. 

Asset not created. Host name or MAC address 
is required. 

ip=null 

hostname=myhost 

mac=nuil 

Asset created. 

Move asset to a new group. If there is already 
an asset with the same name, the previous one 
is renamed. 

ip=nuli 

hostname=null 

mac=0123456789AB 

Asset created. 

Move asset to a new group. If there is already 
an asset with the same name, the previous one 
is renamed. 


Asset Names 

The Manager names the auto-created assets using the following templates. The creation rules work 
differently depending on how the events arrive: by Connector or by scanner; and whether they belong to 
a dynamic or static zone. 

Naming Assets from Scanner Events 

By default, assets that come from scanners use the naming scheme outlined below, depending on 
whether the assets came from a static or dynamic zone. This scheme controls how asset names 
appear in channels and labels in the user interface. 
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Asset Names from Scanner Events 



Static Zone 

Dynamic Zone 

Property 

scanner-event, auto- 

scanner-event. auto- 


create. asset, name. template 

create. dynamiczone. asset, name. template 

Value: 

$destinationAddress - 
$!destinationHostName 

SdestinationHostName 

Example 

1.1. 1.1 - myhost 

myhost 


You can reconfigure this default naming scheme the server . properties file, for example, if you want 
to show the host name first, or use an underscore to separate the elements. For details, see "Changing 
the Default Naming Scheme" on page 81 1 . 

Naming SmartConnector and Device Assets 

SmartConnector and device assets are given the host name of the system that hosts them: 
name = hostname 


Asset Auto-Creation Advanced Configuration Options 

If the profile of events in your network causes the asset auto creation feature to create assets in your 
network model inefficiently, you can modify the asset auto creation default settings in the user 
configuration file, server, properties. 

The server. properties file is located at $ARCSIGHT_HOME/conf ig/server . properties. 

For more about working with properties files, see the topic “Managing and Changing Properties File 
Settings” in the Administrator’s Guide. 

Asset Auto-Creation from Scanners in Dynamic Zones 

The following properties relate to how the Manager creates assets from a vulnerability scan report for 
dynamic zones. 

Create Asset with IP Address or Host Name 

By default, the Manager does not create an asset in a dynamic zone if there is no host name present, 
as described in "Creating Assets from a Vulnerability Scan Report for Dynamic Zones" on page 801 . 
The property set by default is: 

scannen-event .dynamic zone. asset . nonidentifiable. create=false 

You can configure the Manager to create the asset as long as it has either an I P address or a host 
name. In server. properties, change scanner- 

event .dynamiczone. asset . nonidentifiable. create from false to true. The Manager discards 
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conflicts between an IP address and host name (similar IP address, but different host name and/or 
MAC address). 

Caution: Creating an asset if no host name is present can result in an inaccurate asset 
model. 

Setting scanner-event. dynamiczone. asset. nonidentifiable. create totrue means that 
assets are created if the asset has either an IP address or a host name. 

This could lead to disabled assets or duplicated assets being created. Change this configuration 
only if you are using a dynamic zone to host ostensibly static assets, such as long-lived DHCP 
addresses. 


When this property is set totrue, the Manager takes the following actions. 


Asset Creation with IP Address Only or Hostname Only 


Action taken if previous asset 

Example Action taken if no conflicts with similar information 

IP=1. 1.1.1 

hostname=myhost 

mac=0123456789AB 

Asset created 

Asset created, previous asset is 
deleted. 

ip=1. 1.1.1 

hostname=myhost 

mac=null 

Asset created 

Asset created, previous asset is 
deleted. 

ip— 1 . 1.1.1 

hostname=null 

mac=0123456789AB 

Asset created 

Asset created, previous asset is 
deleted. 

ip=1. 1.1.1 

hostname=null 

mac=null 

Asset created 

Asset created, previous asset is 
deleted. 

ip=null 

hostname=myhost 

mac=null 

Asset created 

Asset created, previous asset is 
deleted. 

ip=null 

hostname=null 

mac=0123456789AB 

Asset not created. Either host name 
or IP address is required. 

Asset not created. Either host name 
or IP address is required. 
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Asset Creation with IP Address Only or Hostname Only, continued 


Example 

Action taken if no conflicts 

Action taken if previous asset 
with similar information 

ip=null 

hostname=myhost 

mac=0123456789AB 

Asset not created. Either host name 
or IP address is required. 

Asset not created. Either host name 
or IP address is required. 


Preserve Previous Assets 

This setting applies when the Manager creates assets from a vulnerability scan report for dynamic 
zones. By default, if a previous asset with similar information already exists in the asset model, the 
Manager creates a new asset and delete the old one, as described in "Creating Assets from a 
Vulnerability Scan Report for Dynamic Zones" on page 801. 

If you want to preserve the previous asset rather than delete it when a scan finds a new asset with 

similar information, you can configure the Manager to rename the previous asset. In 

server . properties, change scanner- event .dynamiczone . asset . ipconf lict . preserve from 

false to true. 


Caution: Preserving previous assets results in a larger asset model. 

Setting event, dynamiczone. asset, ipconf lict. preserve to true means that assets are 
continually added to the asset model and not removed. Use this option only if you know you must 
preserve all assets added to the asset model. 

When you configure the Manager with 

scanner- event . dynamiczone . asset . nonidentif iable . create=false and scanner- 
event . dynamiczone . asset . ipconf lict . preserve=true, 
it takes the following actions: 


ESM Actions for Preserved Previous Assets 


Example 

Action taken if previous asset with similar information and preserve = 
true 

IP=1. 1.1.1 

hostname=myhost 

mac=0123456789AB 

Asset created, previous asset is renamed. 

ip=1. 1.1.1 

hostname=myhost 

mac=null 

Asset created, previous asset is renamed. 
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ESM Actions for Preserved Previous Assets, continued 


Example 

Action taken if previous asset with similar information and preserve = 
true 

ip=1. 1.1.1 

hostname=null 

mac=0123456789AB 

Asset created, previous asset is renamed. 

ip=1. 1.1.1 

hostname=null 

mac=null 

No action taken. Either host name or MAC address is required. 

ip=null 

hostname=myhost 

mac=null 

Asset created, previous asset is renamed. 

ip=nuli 

hostname=nu!l 

mac=0123456789AB 

Asset created, previous asset is renamed. 

ip=nuli 

hostname='myhost' 

mac=0123456789AB 

Asset created, previous asset is renamed. 


Changing the Default Naming Scheme 

By default, the Manager names assets that come from scanners using the naming scheme outlined in 

"Asset Names" on page 807. 


Asset Default Names 


Static Zone 

Dynamic Zone 

Property 

scanner-event, auto- 
create. asset, name. template 

scanner-event. auto- 
create. dynamiczone. asset, name. template 

Value: 

$destinationAddress - 
$!destinationHostName 

SdestinationHostName 

Example 

192.0.2.1 -myhost 

myhost 


You can reconfigure this default naming scheme, for example, if you want to show the host name first, 
or use an underscore to separate the elements. 
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For example, you want the asset name for an asset in a static zone to appear this way in the user 
interface: 

myhost_192. 0.2.1 
In this case, change the default 
JdestinationAddress - $ ! destinationHostName 
to 

$ ! destinationHostName_$destinationAddress 


Attack 

An exploited threat or an attempt to bypass security controls on a computer. The attack may alter, 
release, or deny data. Whether an attack succeeds depends on the vulnerability of the computer 
system and the effectiveness of existing countermeasures. 


Audit Events 

Audit events are events generated within the Manager to mark a wide variety of routine actions that can 
occur manually or automatically, such as adding an event to a case or when a Moving Average data 
monitor detects a rapidly rising moving average. Audit events have many applications, which can 
include notifications, task validation, compliance tracking, automated housekeeping, and system 
administration. 

This topic lists the ArcSight audit events you can use in rules, filters, and other analytical or 
administrative resources. Observe the way these events are used in the standard system-related 
content for examples of how to apply them. 

In the table below, use the Audit Event Category to locate events. Use the Device Event Class 
(DEC) ID string in rules and filters. The Audit Event Description reflects the resource name you see 
in active channel grids. Additional details, when necessary, appear in the Notes column. 

Compare audit events, which report on system activity, with Status Monitor events, which provide 
information about a wide variety of system states. 

All resources (except actors, groups, and users) use the general audit events described in “Resources 
(Configuration Events Common to Most Resources),” in when a resource is added, deleted, updated, 
locked, or unlocked. Actors, groups, and users each use their own unique set of audit events. Other 
resources present unique audit events that are listed in this section in alphabetical order by resource. 

Tip: To get additional details within the “update resource” audit events (beyond what is provided by 
default), you can enable a resource audit property called resource, audit, update, uris in the file 
server . properties on the Manager to specify which resources should show extended audit 
event information. 
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For information on Logger audit events, seethe Logger Administrator’s Guide appendix, “Logger Audit 
Events.” 


Audit Events Common to Most Resources 

These audit events are generated in response to creation events and configuration updates to most 
resources, except users, actors, and groups, which use different audit events. When a resource is 
added, deleted, updated, locked, or unlocked, the Manager generates one audit event with the following 
attributes: 

• Device Event Class ID = resource: 100 (deleted) or resource: 101 (updated) or resource: 102, 
and so on. 

• Event Name = <resource type> deleted/updated/added. 

• File Name = <Resource Name> (for example, John’s Filter) 

• File Path = <Resource URI> (for example, /All Filters/administrator’s Filter/John’s Filter) 

• File Type = <Resource Type> (for example, Filter) 


Audit Events on Resources 


Audit 

Event Device Event Class 

Category ID Audit Event Description 

Resource 

(Delete) 

resource : 100 

Resource deleted. 

The Event Name describes the action and resource type 
( <ResourceName> deleted); for example, deleting a filter 
results in an event named Filter deleted. 

Resource 

(Update) 

resource : 101 

Resource updated. 

This audit event is generated when an existing resource is 
modified or added. See Resource (Add). 

The Event Name describes the action (update) and resource 
type (<ResourceName> updated); for example, modifying a 
report, results in an event name of Report updated. 

Resource 

(Add) 

resource : 102 

Resource added (inserted). The Event Name describes the 
action (insert) and resource type ( <ResourceName> 
inserted); for example, adding a case, results in an event 
name of Case inserted. Adding a Case group results in an 
event name of Group [Case] inserted. 
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Audit Events on Resources, continued 


Audit 

Event 

Category 

Device Event Class 

ID 

Audit Event Description 

Resource 

(Lock) 

resource : 103 

Resource locked <ResourceName> locked. 

Resource 

(Unlock) 

resource : 104 

Resource unlocked <ResourceName> unlocked. 


resourcereference : 

100 

Could not locate a resource through the supplied universal 
resource identifier (URI). 


Active Channel 


Audit Events on Active Channels 


Device Event 

Class ID 

Audit Event Message 

channel:001 

An active channel [Channel Name] was opened/started. 

channel:002 

The channel [Channel Name] is empty; that is, there are no matching events for 


the built-in channel filter. 

channel:003 

The channel [Channel Name] query completed. 

channel:004 

The channel [Channel Name] query is slow. 


Active List 


Audit Events on Active Lists 


Device Event 

Class ID Audit Event Message 

activelist:101 

An entry was added to an active list. 

activelist:102 

An entry was removed from an active list. 

activelist:103 

An entry was changed in an active list. 

activelist:104 

An entry has expired in an active list. 

activelist:105 

An entry has been evicted from an active list. The active list is full and an 
entry is dropped. 
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Actor 


Audit Events on Actors 


Device Event Class ID 

Audit Event Message 

actor: 100 

An actor was deleted. 

actor:102 

An actor was created. 

actor:110 

One or more actor attributes were updated. 

actorrlll 

A multi-valued actor attribute was added to an actor. 

actor:112 

A multi-valued actor attribute was removed from an actor. 


Archive 


Audit Events on Archive Management 


Device Event Class ID 

Audit Event Description 

archive : 100 

Archive created 

archive : 101 

Archive deleted 

archive:102 

Event archive settings updated 

archive : 110 

Archive activated 

archive : 111 

Archive activation cancelled 

archive:112 

Archive activation failed 

archive : 120 

Archive operation succeeded 

archive : 121 

Archive operation cancelled 

archive:122 

Archive operation failed 

archive:130 

Archive deactivated 

archive : 131 

Archive deactivation cancelled 

archive:132 

Archive deactivation failed 

archive: 140 

Archive scheduled 

archive : 141 

Archive schedule cancelled 

archive:142 

Archive schedule failed 
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Audit Events on Archive Management, continued 


Device Event Class ID Audit Event Description 

archive:143 

Supplemental archive operation succeeded 

archive: 144 

Supplemental Archive — No data 

archive : 145 

Supplemental archive, failure 


Authentication 


Audit Events on Authentication 


Audit Event 
Category 

Device Event Class 

ID 

Audit Event Message 

Authentication 

authentication : 100 

A client authenticated with the Manager. 

Authentication 

authentication : 101 

A client authentication login failed. 

Authentication 

authentication : 102 

An authenticated client logged out of the Manager. 

Authentication 

authentication : 103 

Authentication logout time. 

Authentication 

authentication : 104 

A client made several unsuccessful attempts to log in to 
the Manager, resulting in an excessive number of failed 
logins. 

Authentication 

authentication : 105 

A non-FIPS client authenticated with the Manager via login. 

(A valid login by a non-FIPS ArcSight Console 
authenticating itself to the Manager triggers this audit 
event.) 

For information on how to configure a non-FIPS client (such 
as ArcSight Console) to log in to a FIPS-enabled Manager, 
see the Administrator's Guide. 

Connector 

Login 

authentication : 200 

Successful connector authentication. 

Connector 

Login 

authentication : 201 

Connector authentication failed. 
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Audit Events on Authentication, continued 


Audit Event Device Event Class 

Category ID Audit Event Message 

Authentication 

authentication : 202 

A non-FIPS connector authenticated with the Manager via 
login. 

(A valid login by a non-FIPS SmartConnector 
authenticating itself to the Manager triggers this audit 
event.) 

For information on how to configure a non-FIPS 
SmartConnector to connect to a FI PS-enabled Manager, 
seethe document, Installing FIPS-Compliant 
SmartConnectors. 


Authorization 


Device Event Class ID 

Audit Event Description 

authorization : 100 

Manager refused to authorize client. 


Connector Connection 


Audit Events on Connector Connections 


Device 

Event 

Class ID Audit Event Description 

agent: 009 

Manager rejected a connection attempt from a connector for reasons other than 
authentication failure. 

agent: 030 

Connector started. 

agent: 031 

Connector shutting down. 

agent: 041 

Event flow on connector has been started, stopped, or paused. 

agent: 043 

This occurs at the specified interval, if Device Status Monitoring is enabled. It Reports 
the last time an event was received and the number of events since the connector 
started and since the previous report. 

agent : 101 

Connector has just connected to Manager. 

agent : 102 

Connector is sending events but no heartbeats. 

agent : 103 

Connector is sending neither events nor heartbeats. 

agent : 104 

An unknown connector attempted to connect to the Manager. 
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Audit Events on Connector Connections, continued 


Device 

Event 

Class ID 

Audit Event Description 

agent : 105 

A connector presented an incorrect shared secret when authenticating. 


Connector Exceptions 


Audit Events on Connector Exceptions 


Device 

Event 

Class ID Audit Event Description 

agent: 012 

Connector detected source events from a sensor device containing incorrect time 
stamps. 

agent: 013 

Connector noted that a new sensor device is sending events. 

agent: 014 

Connector could not find a base event referenced in a syslog aggregate event. 

agent:015 

connector connection device failure. 

agent: 016 

connector connection device success. 

agent: 017 

Connector successfully executed a command. 

agent: 018 

Connector could not execute a command. 

agent: 019 

Connector is caching events because they could not be immediately transmitted to the 
Manager. 

agent: 020 

Connector has emptied its cache of events. 

agent: 021 

Connector could not communicate with an NT collector sensor. 

agent: 023 

Connector could not communicate with a Checkpoint sensor. 

agent: 024 

Connector is having difficulty communicating with Checkpoint. 

agent: 028 

Connector experienced an unexpected problem. 

agent: 029 

Connector was forced to drop its cached data. 

agent:035 

Connector sent an event with a bad timestamp; it is beyond the retention period. 
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Audit Events on Connector Exceptions, continued 


Device 

Event 

Class ID 

Audit Event Description 

agent: 107 

Connector is generating events fortoo many devices. This may be due to improper field 
mapping in the connector that causes what should be the same device to be referenced 
in too many different ways. 

The correlated internal event sets these additional fields: 

• name: Too many devices being created - possible parsing problem 

. deviceEventCategory: /Agent/SideTableOverflow 

• agentSeverity: Very high (4) 


Connector Login 


Audit Events on Connector Logins 


Device Event Class ID 

Audit Event Description 

authentication : 200 

Successful connector authentication. 

authentication : 201 

Connector authentication failed. 


Connector Registration and Configuration 


Audit Events on Connector Registration and Configuration 


Device Event Class 

ID Audit Event Description 

agent: 007 

Connector successfully registered with Manager. 

agent: 008 

Connector did not successfully register with Manager. 

agent: 010 

Connector upgrade succeeded. This is currently in the context of an installer 
upgrade. 

agent: 011 

Connector upgrade failed. This event is not currently being generated. 

agent: 022 

Connector could not process a reconfiguration request. 

agent:025 

Connector content was successfully updated. 

agent: 026 

Connector content update failed. 

agent: 032 

Connector configuration was successfully changed. 
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Content Management 


Audit Events on Content Management 


Device Event Class ID Audit Event Description 

contentmanagement : 100 

ESM Manager is now a content publisher. 

contentmanagement : 102 

ESM Manager is now a subscriber. 

contentmanagement : 103 

ESM Manager is no longer a subscriber. 

contentmanagement : 120 

A package has been manually delivered to subscribers. 

contentmanagement : 121 

A package has been received from the content publishing system. 

contentmanagement : 122 

A package delivery has started. 

contentmanagement : 123 

A package delivery has completed. 

contentmanagement : 124 

A package delivery attempt has failed. 

contentmanagement : 125 

A package has been successfully installed by a subscriber. 

contentmanagement : 126 

A package has failed to install for a subscriber. 

contentmanagement : 130 

A package has been added to a schedule. 

contentmanagement : 131 

A package has been removed from a schedule. 

contentmanagement : 140 

A content synchronization schedule has been enabled. 

contentmanagement : 141 

A content synchronization schedule has been updated. 

contentmanagement : 142 

A content synchronization schedule has been disabled. 

contentmanagement : 143 

An attempt to enable or update the content synchronization schedule 
has failed. 


Dashboard 


Audit Events on Dashboards 


Device Event 

Class ID 

Audit Event Description 

dashboard:001 

A data monitor on a dashboard was newly accessed after not having been 
accessed for some time (for example, the dashboard had been closed). This audit 
event is generated on a per-user, per-Console-session basis. 

dashboard : 100 

Dashboard has opened. 
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Data Monitors 

Audit events related to data monitors are described in the following tables, categorized by data monitor 
type. (See also the Dashboard audit events topic.) 

Last State Data Monitors 


Audit Events on Last State Data Monitors 


Device Event 

Class ID 

Audit Event Description 

datamonitor :400 

A Last State data monitor entry has exceeded its time-out period and was 
automatically removed. 

datamonitor :401 

A Last State data monitor entry value was manually changed by the user. 

datamonitor :402 

A Last State data monitor entry was manually removed by the user. 


Moving Average Data Monitor 


Audit Events on Moving Average Data Monitors 


Device Event 

Class ID Audit Event Description 

datamonitor : 101 

Moving average threshold. 

datamonitor : 102 

Moving Average data monitor detected a rapidly falling moving average 

datamonitor : 103 

Moving Average data monitor detected a rapidly rising moving average. 

datamonitor : 104 

Moving Average data monitor reporting the current moving average. 

datamonitor : 105 

A value was added to a Moving Average data monitor, which is now monitoring 
a new Group-By set of values. 

datamonitor : 106 

A value was removed from a Moving Average data monitor. The data monitor is 
no longer monitoring a particular Group-By set of values. 


Reconciliation Data Monitor 


Device Event Class ID 

Audit Event Description 

datamonitor : 300 

Correlation data monitor reporting a correlated or non-correlated event. 
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Statistical Data Monitor 


Audit Events on Statistical Data Monitors 


Device Event 

Class ID 

Audit Event Description 

datamonitor : 200 

Statistical Data Monitor reported a change in status. 

datamonitor : 201 

A value was added to a Statistical Data Monitor, which is now monitoring a new 
Group-By set of values. 

datamonitor : 202 

A value was removed from a Statistical Data Monitor. The data monitor is no 
longer monitoring a particular Group-By set of values. 


Top Value Counts Data Monitor 

Audit Events on Top Value Counts 


Audit Event Category: Moving Average Data Monitor 

Device Event Class 

ID 

Audit Event Description 

datamonitor : 500 

For a Top Value Counts Data Monitor, the top N counts (N events). 

datamonitor : 501 

Counts that were most recently added to the data monitor (from 0 ... N 
events). 

datamonitor : 502 

Counts that were most recently removed from the data monitor (from 0 
... N events). 


Global Variables 


The following events also apply to resources in general. See 'Audit Events Common to Most 
Resources" on page 813. 

Audit Events on Global Variables 


Device Event Class ID 

Audit Event Description 

resource : 100 

Global variable deleted. 

resource : 101 

Global variable updated. 

resource : 102 

Global variable inserted. 

resource : 103 

Global variable locked. 

resource : 104 

Global variable unlocked. 
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Group Management 

The following audit events are generated for any group add, update, or delete, including user groups. 
The details of the which type of resource was configured or modified are provided in the event name. 
(For more information on user management audit events, see the User Management category.) 


Audit Events on Group Management 


Device 

Event 

Class ID 

Audit Event Description 

group : 100 

A group was deleted. 

group : 101 

A group was updated. This audit event is generated when an existing group is modified 
or added. 

group : 102 

A group was added (group inserted). When a new group is added, two audit events are 
generated: this event (group: 102), and a Group Update audit event (group: 101). 


License Audit 


Each of these events is reported every 24 hours, beginning 24 hours after you start the Manager. 

Audit Events on License Audit 


Device 

Event Class 

ID Audit Event Description 

license : 100 

The number of assets you have at this time. 

license:101 

The number of devices you have at this time. 

license : 102 

The number of actors you have at this time. 

license : 103 

The number of Console users you have at this time. 

license:104 

The number of web users you have at this time. 

license:105 

The average number of incoming events per second (EPS) over the last 24 hours and 
whether it exceeds your license. 

license:106 

The number of times that event-1 05 threshold breaches have occurred since the 
Manager started, and the license limit. 

license:107 

The number of times that EPS violations have breached the threshold over the 
number of days specified in your license. This is a serious license violation. For more 
information look at the License : 105 and License : 106 events. 
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Logger Component 

ArcSight Logger is a component in CORR-Engine. The available audit events for this component vary 
by product version; some events in this topic may not apply to your version. 

Logger component audit events are stored in the Default Storage Group. As a result, these events can 
be searched using the ArcSight Command Center search. For example, you can search for this event: 
“/Logger/Resource/Archive/Configuration/Add/”. 

A Logger audit event contains information about the following prefix fields: 

• Device Event Class ID (DEC ID) 

• Device Severity 

• Message 

• Device Event Category — (key Name for this CEF extension is “cat”) 

For example: 

Sep 19 08:26:10 Zurich CEF :0| ArcSight | Logger | 3 . 5 .0. 13412 .0 | logger : 500 | Filter 
added | 2 | cat=/Logger/Resource/Filter/Configuration/Add 
msg=Filter [Unified Query Test] has been added 

The following tables list the information contained in audit events generated by the Logger component 
in ESM with CORR-Engine. Where applicable, the tables also show additional fields. The Severity for 
all Logger component events is 2. 
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Alerts 


Audit Events on Alerts 


Device 

Event Device Event Audit Event 

Class ID Category (cat) Description 

logger: 610 

/Logger/Component/Alert/ 

Configuration/Add 

Alert [name] has been added 

Additional fields: 

fname=AlertName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=forwarderType 
dvc=syslogOrSnmplpAddr 
dvchost=syslogOrSnmp 

HostName 

cnl Label=Syslogor SNMP 

Destination Port 

cn1=syslogOrSnmpPort 

cs1Label=Filter 

cs1=filter 

cs2Label=Email Destination(s) 
cs2=emailAddresses 

logger: 

611 

/Logger/Component/ 

Configuration/Delete 

Alert [name] has been deleted 

Additional fields: 

fname=AlertName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=forwarderType 
dvc=syslogOrSnmplpAddr 
dvchost=syslogOrSnmp 

HostName 

cnl Label=Syslogor SNMP 

Destination Port 

cn1=syslogOrSnmpPort 

cs1Label=Filter 

cs1=filter 

cs2Label=Email Destination(s) 
cs2=emailAddresses 
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Audit Events on Alerts, continued 


Device 

Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 61 2 

/Logger/Component/Alert/ 

Alert [name] has been updated 


Configuration/Update 

Additional fields: 



fname=AlertName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=forwarderType 
dvc=syslogOrSnmplpAddr 
dvchost=syslogOrSnmpHostName 
cnl Label=Syslogor SNMP 

Destination Port 

cn1=syslogOrSnmpPort 

cs1Label=Filter 

cs1=filter 

cs2Label=Email Destination(s) 
cs2=emailAddresses 

logger: 61 3 

/Logger/Component/Alert/ 

Alert [name] has 


Configuration/Enable 

been enabled 



Additional fields: 



fname=AlertName duser=UserName duid=userld 
cs4=sessionldfile cs4Label=Session ID 
fileType=forwarderType dvc=syslogOrSnmplpAddr 
dvchost=syslogOrSnmp HostName cn1Label=Syslogor 
SNMP Destination Port cn1=syslogOrSnmpPort 
cs1Label=Filtercs1=filtercs2Label=Email Destination(s) 
cs2=emailAddresses 
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Audit Events on Alerts, continued 


Device 

Event Device Event Audit Event 

Class ID Category (cat) Description 

logger: 61 4 

/Logger/Component/Alert/ 

Configuration/Disable 

Alert [name] has been disabled 

Additional fields: 

fname=AlertName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=forwarderType 
dvc=syslogOrSnmplpAddr 
dvchost=syslogOrSnmp 

HostName 

cnl Label=Syslogor SNMP 

Destination Port 

cn1=syslogOrSnmpPort 

cs1Label=Filter 

cs1=filter 

cs2Label=Email Destination(s) 
cs2=emailAddresses 

logger: 61 5 

/Logger/Alert/ 

Configuration/Sent 

Alert [name] has been sent 

Additional fields: 

fname=AlertName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=forwarderType 
dvc=syslogOrSnmplpAddr 
dvchost=syslogOrSnmpOr 

EsmHostName 

cn1Label=SyslogoOrSnmpOr 

EsmDestination Port 

cn1=syslogOrSnmpOrEsmPort 

cs1Label=Filter 

cs1=filter 

cs2Label=Email Destination(s) 
cs2=emailAddresses 
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Certificates 


Audit Events on Certificates 


Device Event Device Event Audit Event 

Class ID Category (cat) Description 

logger: 643 

/Logger/Component/ 

Certificate/Configuration/ 

Add 

Certificate [name] has been added 

Additional fields: 

fname=alias 

duser=UserName 

duid=userld 

cs4=sessionld 

cs4Label=Session ID 
fileType=Certificate 

logger: 650 

/Logger/Component/ 

Certificate/Configuration/ 

Delete 

Certificate [name] has been deleted 

Additional fields: 

fname=alias 

duser=UserName 

duid=userld 

cs4=sessionld 

cs4Label=Session ID 
fileType=Certificate 

logger: 651 

/Logger/Component/ 

Certificate/Configuration/ 

Update 

Certificate [name] has been updated 

Additional fields: 

fname=alias 

duser=UserName 

duid=userld 

cs4=sessionld 

cs4Label=Session ID 
fileType=Certificate 
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Archives 


Audit Events on Archives 


Device 

Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 520 

/Logger/Resource/Archive/Configuration/ 

Archive [archiveName] has been added 


Add 

Additional fields: 



fname=archiveName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=EventArchive 

fileld=archiveld 

logger: 521 

/Logger/Resource/Archive/Configuration/ 

Archive [archiveName] has been 


Delete 

deleted 



Additional fields: 



fname=archiveName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=EventArchive 

fileld=archiveld 

logger: 523 

/Logger/Resource/Archive/Configuration/ 

Archive [archiveName] has been loaded 


Load 

Additional fields: 



fname=archiveName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=EventArchive 

fileld=archiveld 
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Audit Events on Archives, continued 


Device 

Event 

Class ID 

Device Event 

Category (cat) 

Audit Event 

Description 

logger: 524 

/Logger/Resource/Archive/Configuration/ 

Archive [archiveName] has been 


Unload 

unloaded 

Additional fields: 

fname=archiveName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=EventArchive 

fileld=archiveld 

logger: 525 

/Logger/Resource/Archive/Configuration/ 

Archive [archiveName] has been 


Archive 

archived 

Additional fields: 

fname=archiveName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=EventArchive 

fileld=archiveld 

logger: 526 

/Logger/Resource/Archive/Add 

Event archive settings added 

Additonal fields: 

fname=archiveName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=EventArchive 

fileld=archiveld 
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Audit Events on Archives, continued 


Device 

Event Device Event 

Class ID Category (cat) 

Audit Event 

Description 

logger: 527 

/Logger/Resource/Archive/U pdate 

Daily archive task settings updated 

Additional fields: 

fname=archiveName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=EventArchive 
fileld— archiveld 

logger: 528 

/Logger/Resource/Archive/Failed 

Event archive failed 

Additional fields: 

fname=archiveName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=EventArchive 

fileld=archiveld 


Filters 


Audit Events on Filters 


Device Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 500 

/Logger/Resource/Filter/Configuration/ 

Add 

Filter [filterName] has been added 

Additional fields: 

fname=filterName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=Filter 

fileld=filterld 
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Audit Events on Filters, continued 


Device Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 501 

/Logger/Resource/Filter/Configuration/ 

Filter [filterName] has been deleted 


Delete 

Additional fields: 



fname=filterName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=Filter 

fileld=filterld 

logger: 502 

/Logger/Resource/Filter/Configuration/ 

Update 

Filter [filterName] has been updated 


Additional fields: 



fname=filterName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 

fileType=Filter 

fileld=filterld 


Peers 

The peers covered in this topic refer to peer relationships between or among the Logger components in 
multiple installations of ESM with CORR-Engine. 


Audit Events on Logger Peers 


Device 

Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 550 

/Logger/Resource/PeerLogger/Configuration/ 

Add 

Peer Logger [name] has been added 

Additional fields: 

fname=Name 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Peer Logger 
fileld=Loggerld 
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Audit Events on Logger Peers, continued 


Device 

Event 

Class ID 

Device Event 

Category (cat) 

Audit Event 

Description 

logger: 570 

/Logger/Resource/PeerLogger/ 

Peer Logger authorization [name] has 


Authorizations/Configuration/Add 

been added 

Additional fields: 

fname=Name 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Peer Logger Authorization 

logger: 571 

/Logger/Resource/PeerLogger/ 

Peer Logger authorization [name] has 


Authorizations/Configuration/Delete 

been deleted 

Additional fields: 

fname=Name 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Peer Logger Authorization 
fileld=Loggerld 


Saved Searches 


Audit Events on Saved Searches 


Device Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 540 

/Logger/Resource/SavedSearch/ 

Saved search [name] has been added 


Configuration/Add 

Additional fields: 



fname=savedSearchName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Saved Search 
fileld=savedSearchld 
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Audit Events on Saved Searches, continued 


Device Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 541 

/Logger/Resource/SavedSearch/ 

Saved search [name] has been deleted 


Configuration/Delete 

Additional fields: 



fname=savedSearchName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Saved Search 
fileld=savedSearchld 

logger: 542 

/Logger/Resource/SavedSearch/ 

Saved search [name] has been updated 


Configuration/Update 

fname=savedSearchName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Saved Search 
fileld=savedSearchld 


Storage Groups 


Audit Events on Storage Groups 


Device 

Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 530 

/Logger/Resource/StorageGroup/ 

Storage group [storageGroupName] has been 


Configuration/Add 

added 



Additional fields: 



fname=storageGroupName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Storage Group 
fileld=storageGroupld 
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Audit Events on Storage Groups, continued 


Device 

Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 532 

/Logger/Resource/StorageGroup/ 

Storage group [storageGroupName] has been 


Configuration/Update 

updated 



Additional fields: 



fname=storageGroupName 

duser=UserName 

duid=userld 

cs4=sessionldfile 
cs4Label=Session ID 
fileType=Storage Group 
fileld=storageGroupld 


Storage Rules (Storage Mapping) 


Audit Events on Storage Rules 


Device Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 533 

/Logger/Resource/StorageRule/ 

Storage rule [name] has been added 


Configuration/Add 

Additional fields: 



fname=storageRuleName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Storage Rule 

logger: 535 

/Logger/Resource/StorageRule/ 

Storage rule [name] has been updated 


Configuration/Update 

Additional fields: 



fname=storageRuleName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Storage Rule 
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Storage Volume 


Audit Event on Storage Volume 


Device Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 536 

/Logger/Resource/StorageVolume/ 

Storage volume [name] has been added 


Configuration/Add 

Additional fields: 



fname=storageVolumeName 

duser=UserName 

duid=userld 

cs4=sessionldfile 

cs4Label=Session ID 
fileType=Storage Volume 
fileld=storageVolumeld 


Searches 


Audit Events on Searches 


Device 

Event 

Device Event 

Audit Event 

Class ID 

Category (cat) 

Description 

logger: 680 

/Logger/Search/Index/ 

Search indices have been added 


Update 

or 



Search index has been added 



Additional fields: 



cs4=sessionld 

fileType=Search Index Configuration 

duser=UserName 

msg=Search index has been added 

cn1 = 1 

duid=1 

cs4Label=Session ID 
rt=receiptTime 

cn1Label=No. of fields added 
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Audit Events on Searches, continued 


Device 

Event Device Event Audit Event 

Class ID Category (cat) Description 

logger: 690 

/Logger/Search/Options/ 

Update 

Search options have been updated 

Additional fields: 

cs6=false 

cs7=true 

cs4=sessionld 

cs5=false 

cs2=false 

cs3=false 

cs1=true 

cs8=false 

cs1Label=Field Search Case 

Sensitivity 

duid=1 

cs7Label=Field Summary 
cs8Label=Field Summary Field 

Discovery 

cs6Label=Display options 
rawEvent 

cs3Label=Regex Search 

Unicode Case Sensitivity 
fileType=Search Options 
duser=UserName 
cs5Label=Regex Search 

Canonical Equality Check 
cs4Label=Session ID 
rt=receiptTime 

cs2Label=Regex Search Case 

Sensitivity 

logger: 710 

/Logger/Search/Cancelled 

Search session [sessionID] has been cancelled by 
[user] 

cs1Label=Session ID 

duid=1 

cs1=sessionldfile 

duser=UserName 

rt=receiptTime 
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Manager Activation 


Device Event Class ID 

Audit Event Description 

manager:100 

Manager has started. 

manager:101 

A clean Manager shutdown has been requested. 


Manager External Event Flow Interruption 


Device Event Class ID 

Audit Event Description 

managen:200 

Manager has stopped the event flow. 

manager:201 

Manager has allowed the event flow to resume. 


Notification 


Audit Events for Notification Category 


Device Event 

Class ID Audit Event Description 

notification : 100 

Notification has been disabled. 

notification : 101 

Notification has been disabled because the queue of notifications to be sent is 
too large. 

notification : 102 

Notification has been enabled. 

notification : 103 

Notification has been enabled because the queue of notifications is back under 
control. 

notification : 104 

A particular notification destination has been disabled. 

notification : 105 

A particular notification destination has been disabled because too much traffic 
was directed at it. 

notification : 106 

A particular notification destination has been enabled. 

notification : 107 

A notification expired without being acknowledged. 

notification : 108 

A functioning destination could not be located for this notification. 

notification : 109 

An old notification has been purged. 
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Notification Acknowledgement, Escalation, and 
Resolution 


Device Event Class ID 

Audit Event Description 

notification : 110 

Notification has been escalated. 

notification : 111 

Notification sent requires acknowledgement. 

notification : 112 

An informational notification was sent. 

notification : 300 

This notification has been acknowledged. 

notification : 301 

This notification has been resolved. 


Notification Testing 


Device Event Class ID 

Audit Event Description 

notification : 200 

Sent a test notification to this destination group. 


Pattern Discovery 


Device Event Class ID 

Audit Event Description 

pattern: 001 

New pattern discovered. 

pattern: 002 

Pattern rediscovered. 

profile: 001 

Pattern discovery run started. 

profile: 002 

Pattern discovery run finished. 


Query Viewers 


Audit Events for Query Viewer Category 


Device Event Class ID Audit Event Description 

queryviewer : 100 

Base query used by the query viewer succeeded. 

queryviewer : 101 

Base query used by the query viewer failed. 

queryviewer : 102 

Base query used by the query viewer has started. 
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Reports 


Audit Events for Report Category 


Device Event Class ID 

Audit Event Description 

report : 100 

Generated a new archived-report configuration resource. 

report : 101 

Failed to generate a new archived-report configuration resource. 

report : 102 

Generated a new delta archived-report configuration resource. 

report : 103 

Report cancelled. 

report : 104 

Generate report started. 

report : 105 

Report generate process halted because the report was empty. 


Resource Quota 


Audit Events for Resource Quota Category 


Device Event Class ID Audit Event Description 

quota : 100 

Resource usage has fallen below the fixed-quota level. 

quota : 101 

Resource usage has exceeded the fixed-quota level. 

quota : 102 

Asset autocreation has exceeded a fixed quota. 

quota : 103 

Asset autocreation is proceeding too rapidly. 


Rule Actions 


Audit Events for Rule Actions Category 


Device Event Class ID 

Audit Event Description 

rule: 300 

For rule actions that do not have specific DEC IDs assigned. 

rule: 302 

Set Event Attribute action. 

rule : 303 

Send to Notifier action. 

rule: 304 

Execute Command action. 

rule:305 

Export... action. 

rule : 306 

Create New Case action. 
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Audit Events for Rule Actions Category, continued 


Device Event Class ID 

Audit Event Description 

rule: 307 

Add to Case action. 

rule: 308 

Create New Case action failed. 

rule : 309 

Add to Case action failed. 

rule:310 

Add to Active List action. 

rule:312 

Remove from Active List action. 

rule : 313 

Run SmartConnector (agent) command. 

rule : 314 

Send command or data to OpenView. 

rule:315 

AddAssetCategory. 

rule : 316 

RemoveAssetCategory. 


Rule Activations 


Audit Events for Rule Activations Category 


Device Event 

Class ID 

Audit Event Description 

rule: 700 

Rule has been deactivated. 

rule:701 

Rule has been deactivated because it is unsafe. There was excessive 
recursion or event matching. 

rule:702 

Rule has been activated. 

rule:703 

Unsafe rule activation. 


Rule Firings 


Audit Events for Rule Firings Category 


Device Event Class ID 

Audit Event Description 

rule : 101 

Rule fired OnEveryEvent. 

rule: 102 

Rule fired OnFirstEvent. 

rule: 103 

Rule fired OnSubsequentEvents. 

rule : 104 

Rule fired OnEveryThreshold. 
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Audit Events for Rule Firings Category, continued 


Device Event Class ID 

Audit Event Description 

rule:105 

Rule fired OnFirstThreshold. 

rule: 106 

Rule fired OnSubsequentThresholds. 

rule : 107 

Rule fired OnTimeWindowExpiration. 

rule: 108 

Rule fired OnTimeUnit. 


Rule Warnings 


Device Event Class ID 

Audit Event Description 

rule : 501 

Rule is firing on events generated by itself (infinite loop). 


Scheduler Execution 


Device Event Class ID 

Audit Event Description 

scheduler:200 

A task has been executed. 

scheduler:201 

A task failed to execute. 


Scheduler Scheduling Tasks 


Audit Events for Scheduler Scheduling Tasks Category 


Device Event Class ID 

Audit Event Description 

scheduler:300 

A new task has been scheduled. 

scheduler:301 

A new task could not be scheduled. 

scheduler:302 

Enabled a task. 

scheduler:303 

Could not enable a task. 

scheduler:304 

Deleted a task. 

scheduler:305 

Failed to delete a task. 

scheduler:306 

Disable a task. 

scheduler:307 

Could not disable a task. 
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Scheduler Skip 


Device Event 

Class ID 

Audit Event Description 

scheduler:100 

The task scheduler skipped a scheduled task execution because the scheduler 
was not allowed to run. 

scheduler:101 

The task scheduler skipped a scheduled task invocation because the last 
invocation of the task is still executing. 


Session Lists 


Audit Events for Session List Category 


Device Event 

Class ID 

Audit Event Description 

sessionlist:101 

An entry was added to a session list. 

sessionlist:102 

An entry was removed from a session list. 

sessionlist:103 

A session list entry was updated. 

sessionlist:104 

An entry in a session list was auto-terminated as the session expired. 

sessionlist:201 

A session list partition was added. 

sessionlist:202 

A session list partition was dropped. 

sessionlist:203 

A session list Partition add failed. 

sessionlist:204 

A session list Partition drop failed. 

sessionlist:301 

During lookup on a session list value, the value was not available in Manager 
memory, and the lookup was not performed on the database. 

This can occur if too many session list lookups are performed against the 
database. Typically, the Manager generates one audit event for any number of 
dropped lookups in a time period, instead of one per dropped lookup. 
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Stress 


Device Event Class ID 

Audit Event Description 

test: 100 

A stress test event. 

This event is generated only by ArcSight Quality Assurance. 


Trends 


Audit Events for Trend Category 


Device Event 

Class ID 

Audit Event Description 

trend : 100 

Trend run started. 

trend : 101 

Trend run success. 

trend : 102 

Trend run failure. 

trend : 201 

Trend scavenge success. 

trend : 202 

Trend scavenge failure. 

trend :401 

Trend enabled. 

trend :402 

Trend disabled. 

trend : 501 

Trend task started. 

trend : 502 

Trend task ended. 

trend : 601 

Trend was automatically deactivated because of too many failures. 

trend :701 

Trend successfully updated an active list. 

You can add an action to a trend to send columns (fields) in trend results to a 
fields-based active list. 


Trend Partitions 


Audit Events for Trend Partitions Category 


Device Event Class ID 

Audit Event Description 

trend : 301 

Trend partition added. 

trend : 302 

Trend partition dropped. 
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Audit Events for Trend Partitions Category, continued 


Device Event Class ID 

Audit Event Description 

trend : 303 

Trend partition add failed. 

trend : 304 

Trend partition drop failed. 


User Login 


Audit Events for User Logins 


Device Event Class 

ID 

Audit Event Description 

authentication : 100 

Successful client login. 

authentication : 101 

Failed client login. 

authentication : 102 

Client logout. 

authentication : 103 

Client timed out due to inactivity. 

authentication : 104 

Too many client login failures occurred within a time period. 


Note: After the third login failure, future logins are prevented. The next time 
this user logs in, the generated event is authentication : 101, Failed 
client login with the reason, User disabled. 


User Management 


Audit Events for User Management Category 


Device Event 

Class ID 

Audit Event Description 

user:100 

A user account was deleted. 

user:101 

A user account was updated. 


This audit event is generated when an existing user account is modified ora new 
user is inserted. 

user:102 

A user account was added. 


When a new user account is inserted, two audit events are generated: this User 
Inserted event, and a User Update event (user: 101). 


Also see the section “Group Management,” earlier in the Audit Events section, which reflects adds, 
deletes, and updates of groups, including user groups. 
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Base Queries for Query Viewers 

A primary attribute of any query viewer is the SQL query it references and uses. This is the core of the 
query viewer. If you create the query viewer yourself, you define this as part of the initial query viewer 
attributes by browsing to and choosing a query from the Reports/Queries tree. If you are using a pre- 
defined query viewer, it already references a base query. 

Reports, trends, and query viewers are all consumers of SQL queries, which still must be created first 
in the Reports resource Queries tab. So, if you don’t find a query viewer or query that gives the data 
view you want, you first need to create a new query in Reports > Queries. Then go to the Query 
Viewers resource to create a new query viewer that references the base query you just created. (For 
information on creating queries, see "Building Queries" on page 301 .) 


Batching 

Batching is a mode in which ArcSight SmartConnectors receive or send collections of events at one 
time rather than immediately after each occurrence. 


Case Editor Tab Fields 


This topic is a directory to reference information about the fields on the Case Editor tabs. The Case 
Editor displays case information organized in five major tabs: 

Fields on Case Editor Tabs 


Case Editor 

Tab Description 

Initial 

Basic case information: case ticket attributes, description and security classification. 

"Case Editor Initial - Attributes Tab" 

"Case Editor Initial - Description Tab" 

"Case Editor Initial - Security Classification Tab" 

Follow-Up 

Description of actions taken, planned, or recommended. 

"Case Editor Follow-Up Tab" 
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Fields on Case Editor Tabs, continued 


Case Editor 

Tab 

Description 

Final 

Ticket resolution and reporting including attack mechanism, attack agent, incident 
information, and vulnerability information. 

"Case Editor Final - Attack Mechanism Tab" 

"Case Editor Final - Attack Agent T ab" 

"Case Editor Final - Incident Information Tab" 

"Case Editor Final - Vulnerability Tab" 

"Case Editor Final - Other T ab" 

Events 

List of events included in case. 

"Case Editor Events Tab" 

Attachments 

List of attachments in the case. Provides option to attach or detach items to the case. 

"Case Editor Attachments Tab" 

Notes 

Miscellaneous case information. 

"Case Editor Notes Tab" 


This organization lets you separate information based on the workflow and handling or resolution of 
individual cases. 


Note: Reminders about editing cases 

• To edit a saved case, first select the Lock Case checkbox to prevent other users from 
modifying and overwriting your edits. 

. Basically, only the Name field is required. However, the Case Editor U I may have been 

customized by making additional fields as required. Customization of such fields are performed 
by HP Professional Services who are tasked to work on ArcSight products. 


Case Editor Initial - Attributes Tab 


The fields on this tab provide basic case information. 

Case Section 


Field 

Description 

Name 

Required field specifying name of case. 

Display ID 

An identification provided by an external tracking system. 
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Ticket Section 


Field 

Description 

Ticket Type 

Drop-down list includes Internal, Client, and Incident types. 

Stage 

Indicate workflow stage of ticket; default selections include Queued, 
Initial, Follow-Up, Final, and Closed. 

Frequency 

Indicates how often reported issue occurs. Values assigned are 0 
(never or once), 1 (less than 10 times), 2 (10 to 15 times), 3 (15 
times), 4 (more than 15) 

Operational Impact 

Impact of reported issue. Values assigned are 0 (no impact), 1 (no 
immediate impact), 2 (low priority impact), 3 (high priority impact), 4 
(immediate impact) 

Security Classification 

Values assigned are 1 (Unclassified), 2 (Confidential), 3 (Secret), 4 
(Top Secret) 

Consequence Severity 

Values assigned are 0 (None), 1 (Insignificant), 2 (Marginal), 3 
(Critical), 4 (Catastrophic) 

Reporting level 

Number calculated based on Ticket info values entered. 

Tip: You can use entries in all case Ticket fields to generate reports so you can categorize cases 
based on specific case information. 


Incident Information Section 


Field Description 

Detection 

Time 

Automatically assigned based on the first event that is added to a case. Time is based 
on the Manager’s system time. Once assigned, the value does not change even if you 
add events or remove existing events. 

Estimated 

Start Time 

Automatically assigned based on the Manager Receipt Time (MRT) of the oldest event 
attached to the case, even if more recent events have been added to the case prior to 
this oldest event. If you remove this oldest event from the case, Estimated Start Time 
takes the MRT of the next oldest event in the case, and so on. If you remove all events 
from the case, the field will be blank. 

Estimated 

Restore 

Time 

This is a user-entry field to denote the date when the case is resolved. Select a 
timestamp from the calendar popup. 


Case Editor Initial - Description Tab 

The fields on this tab further describe a case. 
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Case Editor Description Tab 


Field Description 

Affected Services 

Text field allowing entry of up to 4000 characters. 

Affected Elements 

Text field allowing entry of up to 4000 characters. 

Estimated Impact 

Text field allowing entry of up to 4000 characters. 

Affected Sites 

Text field allowing entry of up to 4000 characters. 


Case Editor Initial - Security Classification Tab 


The fields on this tab describe the security classification for a case. 

Security Classification Section 


Field Description 

Attack 

Mechanism 

Options include: P (Physical), O (Operational), 1 (Informational), and U 
(Unknown) 

Attack Agent 

Options include: 1 (Insider), C (Collaborative), O (Outsider), and U (Unknown) 

Incident Source 1 

Editable text. 

Incident Source 2 

Editable text. 

Vulnerability 

Options include: D (Design), O (Operational), E (Operational Environment), and 

U (Unknown) 

Sensitivity 

Options include: U (Unclassified), C (Confidential), S (Secret), and T (Top 

Secret) 

Associated 

Impact 

Options include: A (Availability), C (Confidentiality), 1 (Integrity), and U 
(Unknown) 

Action 

Selections include: B (Block/Shutdown), M (Monitoring), and O (Other) 


Security Classification Code Section 


Field 

Description 

Code 

Value automatically calculated from other Security Classification field entries. 


Case Editor Follow-Up Tab 

The fields on this tab describe follow-up entries for a case. 
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Case Editor Follow-Up Tab 


Field Description 

Actions Taken 

Text field allowing entry of up to 4000 characters. 

Planned Actions 

Text field allowing entry of up to 4000 characters. 

Recommended Actions 

Text field allowing entry of up to 4000 characters. 

Followup Contact 

Text field allowing entry of up to 4000 characters. 


Case Editor Final - Attack Mechanism Tab 


The fields on this tab provide final ticket resolution and reporting information for the attack mechanism 
associated with a case. 

Case Editor Attack Mechanism Tab 


Field Description 

Attack Mechanism 

Auto-populated from Security Classification tab. Possible values are P 
(Physical), O (Operational), 1 (Informational), and U (Unknown). 

Attack Protocol 

Text field allowing entry of up to 64 characters. 

Attack OS 

Text field allowing entry of up to 64 characters. 

Attack Program 

Text field allowing entry of up to 255 characters. 

Attack Time 

Date field. Defaults to the current time. Set by choosing values from the 
calendar. 

Actions Target 

Text field allowing entry of up to 4000 characters. 

Attack Service 

Text field allowing entry of up to 4000 characters. 

Attack Impact 

Text field allowing entry of up to 4000 characters. 

Final Report Action 

Text field allowing entry of up to 4000 characters. 


Case Editor Final - Attack Agent Tab 


Fields on this tab provide ticket resolution and reporting information related to the attack agent 
associated with a case. 

Case Editor Attack Agent Tab 


Field 

Description 

Attack Agent 

Auto-populated from Security Classification tab. Possible values are 1 (Insider), 

C (Collaborative), O (Outsider), and U (Unknown). 
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Case Editor Attack Agent Tab, continued 


Field Description 

Attack Location Id 

Text field allowing entry of up to 255 characters. 

Attack Node 

Text field allowing entry of up to 255 characters. 

Attack Address 

Text field allowing entry of up to 255 characters. 


Case Editor Final - Incident Information Tab 


The fields on this tab provide final incident information associated with a case. 

Case Editor Incident Information Tab 


Field Description 

Incident Source 1 

Auto-populated from Security Classification tab. 

Incident Source 2 

Auto-populated from Security Classification tab. 

Incident Source Address 

Text field allowing entry of up to 200 characters. 


Case Editor Final - Vulnerability Tab 


The fields on this tab provide final ticket resolution and reporting information related to the 
vulnerabilities associated with a case. 

Case Editor Vulnerability Tab 


Field 

Description 

Vulnerability 

Auto-populated from Security Classification tab. Possible values are D 
(Design), O (Operational), E (Operational Environment), and U (Unknown). 

Vulnerability Type 1 

Selections include: Accidental or Intentional 

Vulnerability Type 2 

Selections include: EMI/RFI, Insertion of Data, Theft of Service, 

Unauthorized, Probes, Root Compromise, DoS Attack, User Account 

Vulnerability 

Evidence 

Text field allowing entry of up to 4000 characters. 

Vulnerability Source 

Text field allowing entry of up to 4000 characters. 

Vulnerability Data 

Text field allowing entry of up to 4000 characters. 


Case Editor Final - Other Tab 

The fields on this tab provide miscellaneous ticket resolution and final reporting information. 
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Case Editor Other Tab 


Field 

Description 

History 

Selections include: Known Occurrence and Unknown 

No Occurrences 

Numeric value 

Last Occurrence Time 

Enterable time or selector. 

Resistance 

Selections include: High, Low, Unknown 

Consequence Severity 

Auto-populated from Initial Attributes tab 

Sensitivity 

Auto-populated from Initial Attributes tab 

Recorded Data 

Text field allowing entry of up to 4000 characters. 

Inspection Results 

Text field allowing entry of up to 4000 characters. 

Conclusions 

Text field allowing entry of up to 4000 characters. 


Case Editor Events Tab 


The fields on this tab provide a list of the events included in a case. 

Case Editor Events Tab 


Field Description 

Description 

Events auto-populated from events included in a case. 

Event 1 nfo 

and 

Payload 

fields 

For selected events, displays event field values and if available, payload fields. If a 
rule created or updated the case, the tab displays the rule correlation event that 
triggered updates on the case. Additionally, if also configured in the rule, the correlated 
base events are included. 


Case Editor Attachments Tab 

This tab lists attachments (if any) for the case, and provides options to attach new items via a file 
browser or detach items. 


Note: Files attached to the case are stored along with the case, and additionally stored in the Files 
resource. Space usage may eventually increase. To manage space usage, see the Best Practices 
section in the topic, "Attaching a File to a Case" on page 605 


Case Editor Notes Tab 

The fields on this tab provide a place to enter miscellaneous case information and notes. 
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Case Editor Notes Tab 


Field 

Description 

Notes 

Text field allowing entry of up to 4000 characters that you can save per note. 

Table and 

List Tabs 

Table lists saved notes that you can select to display contents; List provides a 
combined listing of the all saved notes, in chronological order. 


Cases 

Cases are entries in an event-tracking system used to track, investigate, and resolve suspicious 
events in a workflow-type environment. When suspicious events occur, cases are created and 
assigned to users, who then investigate and resolve them based on enterprise policies and practices. 

ArcSight has two ways to create and handle cases. First, it has its own complete case-management 
system. You can use this system to create new cases and assign them to specific groups and users 
who are notified and receive the cases and relevant data and information associated with the case. 
Those users can then act on the assigned cases, specifying resolution or other actions taken on the 
case, which gets reported back and recorded in the ongoing or final resolution of a case. 

In addition to using the built-in case management system that ArcSight provides, you can also integrate 
it with other external case management systems such as Remedy. In that situation, adding new cases 
exports event information and bring up forms of the external case management system for you to 
create and assign new cases. The integration with external case management system can also be 
customized so that case resolution is reported back and recorded. 

Case attachments enable you to attach files to any case you are able to edit, for example log files. You 
are also able to delete cases and attachments; if you delete a case, it deletes the attachment. You can 
add a file to a case, making it public or private. Private means that the attachment is never shared with 
other cases; Public means that everyone has access to the latest edited version of that file. Sharing 
attachments makes it possible to share files that are common among many cases, for example as with 
a non-disclosure agreement. 

For complete information on working with cases, see "Case Management and Queries" on page 596. 


Case Groups 

Cases are organized into these groups: 


Case Group Description 

<UserName>'s Cases 

Cases assigned to the user ID. 

Shared Cases 

Cases that the logged-in user has permission to access. 

Public Cases 

Cases to which all users have read permission. 

Unassigned 

Cases that are not assigned to any user. 
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If you have Administrator access, you also have a group named All Cases that contains all user case 
groups and their cases. 

Categories 

ArcSight uses categories and a flexible set of supporting attributes to distinguish the events reported by 
SmartConnectors or generated internally by Managers. You see these under the Category heading in 
tools such as the "Common Conditions Editor (CCE)" on page 864, "Rules Editor" on page 1037, or 
"Event Inspector" on page 988. This ability to recognize more detailed and specific event conditions 
increases your analytic and reactive options. 

These categories and attributes are designated by ArcSight, based on the information offered to 
SmartConnectors by sensors. Keep in mind that the applicability of a category always depends on the 
actual configuration of the environment. 

Category Groupings 
Category Description 


Object 

Category 

Events are always about a certain object. An object can, for example, be an 
application, the operating system, the database, a file or the memory of a server. It is 
important to realize that we are referring to the targeted object. It is not about who is 
doing something, but what is the object being accessed, altered, and so forth. See 

"Object Category" on the next page. 

Behavior 

Category 

Events not only refer to certain objects, but there is generally an action ora behavior 
associated with an event. What is being done to an object? Behaviors include access, 
execution, or modification, and so on. See "Behavior Category" on page 857. 

Outcome 

Category 

With the first two dimensions, we know what object is being referred to and what 
action targeted the object. However, we do not know whether the behavior was 
successful or not. Therefore, the outcome is a success, a failure or an attempt. An 
attempt really indicates that something was neither a success nor a failure and the 
outcome is not clear or there is no statement that could be made about the outcome. 
See "Outcome Category" on page 858. 

Device 

Group 

Category 

Many security devices serve a multitude of purposes in one product. For example, 
intrusion prevention systems generate events associated with their firewall 
capabilities, as well as their intrusion detection capabilities. To be able to distinguish 
between these types of events, we introduced a dimension called deviceGroup. This 
dimension allows us to query, for example, for all of the firewall-type events as 
opposed to all of the events generated by a firewall. The distinction being that the 
former query also returns all the firewall messages, for example, in the operating 
system logs (for example, ip tables). See "Device Group Category" on page 859. 

Significance 

Category 

We need to know the significance of an event. We need the capability, for example, to 
separate normal events from hostile events. We also need to know whether certain 
activity reported by the device impacts the availability, confidentiality, or integrity of 
our systems. All this information is captured in significance. See Significance 
Category" on page 862. 
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Category Groupings, continued 


Category 

Description 

Technique 

Category 

Frequently in a security context, we would like to obtain information about the type of 
events with respect to a security domain. Is an event talking about a denial of service, 
a brute force attack, IDS evasions, exploits of vulnerabilities, and so forth. See 

"Technique Category" on page 859. 


Object Category 


Object Category Details 

Host 

Any end-system on the network, such as a PDA, a Windows computer, or a Linux 
computer. 


Operating 

System 

The system software that controls execution of computer programs and 
access to resources on a host. 


Application 

A software program that is not an integral part of the operating system. 



Service 

An application that normally executes at operating 
system startup. A service often accepts network 
connections. 



Database 

A database application. 



Backdoor 

An application, visible on a host, that listens for network 
connections and can give a non-authorized user control 
over that host. 



DoS Client 

A host that is displaying an application that can 
participate in a (possibly distributed) denial-of-service 
attack. 



Peer to Peer 

An application that listens for, and establishes network 
connections to, other installations of the same 
application (for example, Kazaa, Morpheus, Napster). 



Virus 

A host that is displaying a replicating infection of a file 
that also executes other behaviors on the infected host. 



Worm 

A host that is displaying a self-replicating program that 
spreads itself automatically over the network from one 
computer to the next. 


Resource 

An operating system resource that is characteristically limited in its supply. 
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Object Category Details 



File 

A long-term storage mechanism (for example, files, 
directories, hard disks, and so forth). 



Process 

A single executable module that runs concurrently with 
other executable modules. 



Interface 

An interface to the network. 



Interface Tunnel 

Packaging a lower network protocol layer within a higher 
layer (for example, IPSec Tunnel, HTTP tunneling). 



Registry 

The central configuration repository for the operating 
system and the applications. Application-specific 
information is not stored here. 



CPU 

Events directed at this object relate to consumption or 
use of the overall processing power of the host. 



Memory 

Events directed at this object relate to consumption or 
use of the overall memory of the host. 

Network 



Events that cannot be clearly associated with a host's 
subitem. Events that involve transport, or many hosts on 
the same subnet. 


Routing 


Routing related events such as BGP. 


Switching 


Switching related events such as VLANS. 

Actor 

User 


A single human identity. 


Group 


A named collection of users, such as an employee 
division or social group. 

Vector 



The replication path for a section of malicious code. 


Virus 


A replicating infection of a file that also executes other 
behaviors on the infected host. 


Worm 


A self-replicating program that automatically spreads 
itself across the network, from one computer to the next. 


Backdoor 


An application that listens for network connections and 
can give a non-authorized user control over that host. 


DoS Client 


An application that participates in a (possibly distributed) 
denial-of-service attack. 
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Behavior Category 


Behavior Category Details 

Access 

Refers to accessing objects, as in reading. 


Start 

The start of an ongoing access, such as login. 


Stop 

The end of an ongoing access, such as logging out. 

Authentication 

Actions that support authentication. 


Add 

Adding new authentication credentials. 


Delete 

Deleting authentication credentials. 


Modify 

Modifying authentication credentials. 


Verify 

Credential verification, such as when logins occur. 

Authorization 

Authorization-related actions. 


Add 

Adding a privilege for the associated object (for example, a user). 


Delete 

Removing a privilege for the associated object (for example, a 
user). 


Modify 

Modifying the existing privileges for the associated user or entity. 


Verify 

An authorization check, such as a privilege check. 

Communicate 

T ransactions that occur over the wire. 


Query 

Communicating a request to a service. 


Response 

Communicating a response to a request, from a service. 

Create 

Seeks to create resources, install applications or services, or otherwise cause a 
new instance of an object. 

Delete 

The reverse of creation events. Includes uninstalling applications, services, or 
similar activity. 

Execute 

Involves loading or executing code, booting or shutting systems down, and similar 
activity. 


Start 

The beginning of execution of an application or service. This event 
is clearly distinguished from a lone "Execute" attribute. 


Stop 

The termination of execution of an application or service. This 
event is clearly distinguished from a lone "Execute" attribute. 
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Behavior Category Details 


Query 

A query sent to a specific entity - but not over the network (for 
example, as when generating a report). 


Response 

The answer returned by an Execute/Query. For example, a report 
delivered back from an application, or status messages from 
applications. 

Modify 

Involves changing some aspect of an object. 


Content 

Changing the object's content, such as writing to or deleting from a 
file or database. 


Attribute 

Changing some attribute of an object, such as a file name, 
modification date, or create date. 


Configuration 

Changing an object's configuration. For example, application, 
operating system, or registry changes. 

Substitute 

Replacing files, upgrading software, or service or host failovers. 

Found 

Noticing an object or its state. 


Vulnerable 

An exploitable state that is characteristic of a particular hardware 
or software release. 


Misconfigured 

An exploitable state caused by a weak configuration or similar 
mishandling. 


Insecure 

An exploitable state that arises from poor management or 
implementation. For example, weak authentication, weak 
passwords, passwords passed in the clear, default passwords, or 
simplistically named accounts. 


Exhausted 

The targeted object was found to be exhausted (for example, not 
enough file descriptors available). 


Outcome Category 

These attributes indicate the probable success or failure of the specified event, within an overall 
context. For example, the outcome of an event such as an operation failed error message can be 
reported as a /Success given that the operation can be presumed to have actually caused a failure. 
Another example would be an event that identifies a Code Red infection: on a host running Linux the 
outcome would be /Failure (Code Red is Windows-only) while the same event directed at a host with 
an unknown OS would be reported as an /Attempt. 


Outcome Category Details 

Attempt 

The event occurred but its success orfailure cannot be determined. 
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Outcome Category Details 

Failure 

The event can be reasonable presumed to have failed. 

Success 

The event can be reasonable presumed to have succeeded. 


Device Group Category 


Device Group Category Details 

Application 

An application program 

Assessment Tool 

A network- or host-based scanner that monitors issues such as 
vulnerability, configurations, and ports 

Security Information 
Manager 

A security-event processing correlation engine (the Manager). This "device" 
deals only in correlated events. 

Firewall 

A firewall 

IDS 

An intrusion-detection system. Includes: 


Network 

A network-based intrusion-detection system 


Host 

A host-based intrusion-detection system. Includes: 



Antivirus 

An anti-vims scanner 



File Integrity 

A file-integrity scanner 

Identity Management 

Identity management 

Operating System 

An operating system 

Network Equipment 

Network equipment. Includes: 


Router 

A network device with routing (layer 3) capabilities 


Switches 

A network device with switching (layer 2) capabilities 

VPN 

A virtual private network 


Technique Category 


Technique Category Details 

T raffic 

An anomaly in the network traffic, such as non-RFC compliance. 
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Technique Category Details 


Network 

Layer 

Anomalies related to IP, ICMP, and other network-layer protocols. 
Includes: 



IP Fragments 

Fragmented IP packets. 



Man in the Middle 

A man-in-the-middle attack. 



Spoof 

Spoofing a source or destination IP 
address. 



Flow 

A problem in network-layer 
communication logic, such as an 
out-of-order IP fragment. 


Transport 

Layer 

Anomalies related to TCP, UDP, SSL, and other transport-layer 
protocols. Includes: 



Hijack 

Hijacking a connection. 



Spoof 

Spoofing a transport layer property 
(for example, a TCP port number, 
or an SSL entity). 



Flow 

A problem in TCP connections or 
flows, such as a SYNACK without 
SYN , a sequence number 
mismatch, or time exceeded. 


Application 

Layer 

Application-layer anomalies. Includes: 



Flow 

A peer does not follow the order of 
commands. 



Syntax Error 

A syntax error in an application- 
layer command. 



Unsupported Command 

A command which does not exist 
oris not supported. 



Man in the Middle 

A man-in-the-middle attack on the 
application layer. 

Exploit 

Vulnerability 

Exploiting a vulnerability (for example, a buffer overflow, code 
injection, or format string. 


Weak 

Configuration 

Exploitation of a weak configuration. This is something that could be 
remedied easily by changing the configuration of the service (for 
example, weak passwords, default passwords, insecure software 
versions, or open SMTP relays). 
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Technique Category Details 


Privilege 

Escalation 

A user identity has received an increase in its user privileges. 


Directory 

Transversal 

A user identity is attempting to browse or methodically review 
directories for which it may not have appropriate privileges. 

Brute 

Force 

Brute-force attacks. Includes: 


Login 

Continued trials for logins. 


URL 

Guessing 

Continued trials for URLs to access information or scripts. 

Redirection 

Redirecting an entity. Includes: 


ICMP 

ICMP redirects. 


DNS 

Unauthorized DNS changes. 


Routing 

Protocols 

Attacks aimed at routing protocols (for example, BGP, RIP, OSPF). 


IP 

Redirection using the IP protocol (for example, source routing). 


Application 

Redirection attacks on the application layer (for example, cross-site 
scripting, mail routing, or JavaScript spoofing). 

Code 

Execution 

Either the execution or transmission of executable code, or the transmission of a 
distinctive response from executed code. Includes: 


Trojan 

The code in question is concealed within other code that serves as a 
Trojan Horse. In other words, it appears to be one thing (that is safe) 
but is really another (that is unsafe). 


Application 

Command 

The code in question is intended to invoke an application command. 


Shell 

Command 

The code in question is intended to be executed in a shell. 


Worm 

Code associated with a worm. 


Virus 

Code associated with a vims. 

Scan 

Any type of scanning. A network, host, application, or operating system scan can be 
identified through the specified object. Includes: 


Port 

Multiple ports are scanned. 
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Technique Category Details 


Service 

A service is scanned (for example, DDoS client discovery, 
backdoors, RPC services, or scans for a specific application such as 
NMB). 


Host 

Scanning for hosts on a network. 


IP Protocol 

A search for responding protocols. Note that TCP and UDP are not 
the only transport protocols available. 


Vulnerability 

A scan for vulnerabilities. 

DoS 

A denial of service attack is in progress. 

Information 

Leak 

Information leaking out of its intended environment (for example, mail messages 
leaking out, system file access, FTP data access, or web document access). 

Includes: 


Covert 

Channel 

Leakage was detected from a covert channel, such as Loki. 

Policy 

Policy-related violations such as pornographic web site access. Includes: 


Breach 

A policy-related security breach occurred. 


Compliant 

A policy-compliant event occurred. 


Significance Category 


Significance Category Details 

Hostile 

A malicious event has happened or is happening. 

Informational 

Events considered worthy of inspection; for example, those produced by polling. 
Includes: 


Error 

An execution problem. 


Warning 

A possible problem. 


Alert 

A situational problem that requires immediate 
attention. 

Normal 

Ordinary or expected activity that is significant only for historical analysis 
purposes. 

Recon 

Relates to scans and other reconnaissance activity. 

Suspicious 

A potentially malicious event occurred. 
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Asset Categories 

Asset categories are system resources that describe properties of an asset, such as the operating 
system running on it, key applications it hosts, its role within the enterprise, and any other properties 
you want to consider when evaluating threats or behaviors associated with this asset. 

There is more information about asset categories in ESM 101 . See “Asset Categories” in the main 
topic, "The Network Model." 

The Asset Categories subtab in the Navigator provides options to organize assets into groups based on 
categories. See "Managing Asset Categories" on page 136. 


Event Categories 

Events received from ArcSight-supported devices are automatically categorized (appended with 
classification information) by ArcSight SmartConnectors based on the ArcSight event categorization 
taxonomy. Event Categories are used to classify events based on criteria such as object type, 
behavior, outcome, technique, device group, and significance. This additional information about an 
event (together with normalization and other filtering) helps to identify the significance events from 
different devices and vendors based on a consistent model. 

For information about categorization of events by SmartConnectors go to the HP Protect 724 Web site 
and download the document entitled ArcSight Categorization White Paper 

(https://protect724.hp.com/docs/DOC-10782). 

For information on creating custom event categories, see "Event Categorization" on page 990. 


Collaboration 

The ArcSight Console's collaboration capability is a collection of features that make it possible for 
analyst teams to select certain security events for further on-going investigation. Investigation involves 
a workflow-style process of information collection that leads through a series of analysis stages to a 
final disposition. 

In the ArcSight Console, you locate events for analysis through the active channels in the Viewer 
panel. You use the Annotate Events dialog box orthe Event Inspector to annotate an event, or 
collection of events, and set it upforfoilow-on analysis. Once you have placed the event or collection in 
the collaboration "pipeline" by assigning it a disposition stage (such as Initial), you or other analysts 
manage it through to resolution using the assigned stages as filter arguments. 

ArcSight provides a set of default collaboration stages, but your enterprise may well use others created 
specifically for your workflow needs. Owners, disposition stages, comments, and other factors change 
as an event's handling progresses. The collaboration cycle usually ends when someone marks the 
event's Stage field as Closed (orthe equivalent). 

Compare collaborative annotation to cases, which are a more formal way to track sets of events that 
are under investigation. 
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Default Collaboration Stages 


Stage Meaning 

Queued 

The event has not yet been inspected. 

Initial 

The event has been inspected. 

Follow-up 

The event is under investigation. 

Final 

The investigation has concluded. 

Closed 

The investigation is closed. 

Monitoring 

The event is being watched, especially in regard to a reoccurrence in support of a 
pattern. 

Rule 

Created 

The event has been used to create a rule that assists in monitoring for a reoccurrence, 
especially in regard to patterns, and potentially to respond in some way such as with a 
notification. 

Flagged 
as Similar 

The event is similar to one already under investigation. 


See "Collaborating on Events (Event Annotation)" on page 277 for descriptions of the tasks involved. 


Common Conditions Editor (CCE) 

The ArcSight Console"ArcSight Console' has a Boolean logic editor, which is also referred to as the 
Common Conditions Editor (CCE). If the criteria are met, the evaluation returns a Boolean true or false. 
All conditions constructed by the CCE are expressions that consist of a value or variable on the left, an 
operator (NOT, AND, OR), and a value on the right, for defining the conditions you use to help analyze 
resources such as filters, rules, and reports. This topic is your reference for using the CCE, wherever it 
appears. 

See 'Logical Operators" on page 999 for related information in creating conditions. 

See also "Filtering Events" on page 286, especially subtopics on "Creating Filters" and "Debugging 
Filters to Match Events". 


Editor Features 

The CCE has two tabs; Edit and Summary. In the Edit tab, logical operators are represented in a tree 
form. 

In the Summary tab, conditions are presented in an easily readable, summary view. Resource 
references in the Summary tab are hyperlinked. From the Summary tab, click a resource link to open 
its definition in a resource editor in the Inspect/Edit panel. 

Conditions are editable only on the Edit tab. Wherever the CCE appears, you use these features to 
build or change conditional expressions. 
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• The condition tree shows the complete set of expressions you are building or changing. 

• The root of the tree indicates whether the expression concerns "Filters" (Filter By), "Correlation" 
(Correlate), or "Reports (Report On), as you see in the Filters Editor, Rules Editor, or Report 
Editor, respectively. 

• From the root, there are branches for one or more events. For each event branch, there are sub- 
branches for one or more condition statements. 

• To add an event fora rule, select the root and click the New Event Definition button (see below) or 
right-click the root and choose the same command. Note that only rules can add events because 
filters and reports do not need additional events for correlation. 

• To act on a specific event or Conditional Statements", select it in the tree. Once selected, you can 
use several features to modify it, as described here and below. 

• Use the new event, "Logical Operators", and resource selector buttons above the tree to add 
events, operators, or resource-based constraints to condition statements, if applicable. 

• Use the right-click menus that are available for any selected branch of the condition tree to choose 
commands that are applicable to that statement in that context. 

• When you use the right-click Edit command to edit a selected statement directly in the tree (rather 
than through the event fields table), you can use the Enter key to update the condition without 
having to click Apply or OK. 

• Do use single- or multiple-selection copying and pasting of statements for efficiency. You can use 
the right-click menu commands or Ctrl+C for copy, Ctrl+X for cut, and Ctrl+V for paste. 

• Use the "Field Sets" selector to choose an appropriate group of event fields when an event-related 
statement is selected in the condition tree. 

• To undo/redo an action, right-click in the Edit panel and choose either Undo or Redo, depending 
upon the action you want to use. For example, if you decide to delete a node, a message asks you 
to confirm. If you want to undo this delete, right-click in the Edit panel and choose Undo Delete. 
(You can also use the standard keyboard commands Ctrl+Z for undo and Ctrl+Y for redo.) 

• To Search for a resource, simply click in the field column (on the left side of the list) and start 
typing. A Search popup is displayed when you start typing, and shows the term as you type it. The 
search is "predictive" in that it navigates to and select matching fields as you type. Click Enter to 
select this resource. For details see "Searching for Fields in Event Inspector, Resource Editors, or 
CCE" on page 50. 


Note: Both tabs provide syntax and error highlighting. As an example of error highlighting, if a 
condition uses resources that are later removed, references to the missing resources are 
highlighted as errors in the condition statements in the CCE. 
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In the Conditions "Edit" tab, logical operators are represented In a tree form. 
’ Use this tab to define and edit conditional statements. 


Inspect/Edit 

cf ? K 

Jjj Active ChamehSystem Events L... i 
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} {} eventl 
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In the Conditions "Summary" tab, conditions are shown in an easily 



Condition Tree Command Buttons 

All of the following options are available from buttons at the top of the Conditions Editor and also from 
right-click menu options. The exception is the "In Case" Condition which is only available from a right- 
click menu option. 
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Condition Tree Command Buttons 


Button 

Name 

Use 

{} 

New Event 

Definition 

Insert a new condition tree in the editor. 

& 

AND 

Insert an AND condition. 

II 

OR 

Insert an OR condition. 

i = 

NOT 

Insert a NOT condition. 

a 

Filters 

Matches Filter condition. This resource-based command browses the 
Filters tree of the Navigator panel. Note that this operator applies only to 
rules. 

a 

Assets 

Assets condition. This resource-based command browses the Assets tree 
of the Navigator panel. Note that this operator applies only to rules. 

a 

Vulnerabilities 

Has Vulnerability condition. This resource-based command browses the 
Vulnerabilities tree in the Navigator panel. 


Active List 

InActiveList condition. This command browses the Navigator panel's 
Active Lists tree, and operates on items in the event and actor schemas. It 
is used to map a field or a global variable in the event schema to a 
corresponding field in an active list. It does not evaluate items in other non- 
event schemas (such as cases or assets). 

The InActiveList operator option evaluates single-value attributes and 
multi-value attributes. The field you map could return multiple values. In 
the case of multi-value attributes, if any one value matches, the condition 
evaluates to true. 

Consider this scenario for multi-value attributes: An active list keeps track 
of actor roles where role values can be one of Normal, Restricted, or 
Privileged. You can test if an actor has one of these roles. If your list has a 
field called RoleName, you map the actor’s RoleName attribute to this 
field. Keep in mind that an actor’s RoleName attribute is multi-valued 
because an actor can have multiple roles. Through the InActiveList 
condition, you can have a query that checks if one of the actor’s roles is 
Privileged. 

A condition that tests for whether all or any values in a list match is only 
available to specify on queries and on in-memory operations such as rules, 
filters, data monitors. 

Note: The InActiveList condition in lightweight rules does not support lists 
with multi-mapped values. 

>< 

Joins 

Inserts a Join or Matching Event condition. 

Note: This option applies only to Rules. See "Creating Matching or Join 
Conditions" on page 504. 
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Condition Tree Context Menu Commands 


Condition Tree Context Menu Commands 


Command Description 

Applies 

To 

New 

Condition 

Add a new condition statement below the selected element. Type the 
statement directly in the tree or choose a field from the pop-up menu. 

operator, 

event 

field 

New Logical 
Operator 

Add a new logical operator to the selected element. See 'Logical 
Operators" on page 999. 

Event 

alias, 

operator, 

event 

field 

New 

Constant 

Condition 

Add a Boolean (True/False) AND operator to the selected branch. 

operator 

New 

"Matches 

Filter" 

Condition 

Use the Filter selector to identify a particular filter as a matching 
argument for a condition. 

See also "Creating Matching or Join Conditions" on page 504. 

operator, 

event 

field 

New 

"Assets" 

Condition 

Use the Assets selector to identify an asset or group as the argument for 
a condition. 

See also "Adding Asset Conditions" on page 500 in "Specifying Rule 
Conditions" on page 498. 

operator, 

event 

field 

New "Has 

Vulnerability" 

Condition 

Use the Vulnerability selector to identify a vulnerability as the argument 
fora condition. 

See also "Adding Vulnerability Conditions" on page 501 . 

operator, 

event 

field 
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Condition Tree Context Menu Commands, continued 


Applies 

Command Description To 

New 

"InActiveList" 

Condition 

Use the Active List selector to identify a particular active list that 
contains the argument for a condition. It is used to map a field or a global 
variable in the event schema to a corresponding field in an active list. It 
does not evaluate items in other non-event schemas (such as cases or 
assets). 

When the InActiveList condition is used to compare values in two lists, 
an additional option is shown where you can specify whether All values 
in list field must match. If this option is checked, the Active List 
condition evaluates to true only if all values in both lists match. If it is not 
selected, the condition evaluates to true if any field is in both lists. 

Note: The InActiveList operator option evaluates single-value attributes 
and multi-value attributes. The field you map could return multiple 
values. In the case of multi-value attributes, if any one value matches, 
the condition evaluates to true. 

Consider this scenario for multi-value attributes: An active list keeps 
track of actor roles where role values can be one of Normal, Restricted, 
or Privileged. You can test if an actor has one of these roles. If your list 
has a field called RoleName, you map the actor’s RoleName attribute to 
this field. Keep in mind that an actor’s RoleName attribute is multi-valued 
because an actor can have multiple roles. Through the InActiveList 
condition, you can have a query that checks if one of the actor’s roles is 
Privileged. 

A condition that tests for whether all or any values in a list match is only 
available to specify on queries and on in-memory operations such as 
rules, filters, and data monitors. 

See also "Adding Active List (InActiveList) Conditions" on page 502. 

operator, 

event 

field 

New 

"InCase" 

Condition 

Use the Cases resource tree to identify a particular case as the 
argument for a condition. For events, the condition checks if the event is 
part of a case's details. 

Note: The channel that uses a filter with the InCase condition is set to 
evaluate only once, therefore making the channel static. In this situation, 
if a rule subsequently adds an event to the case as you are viewing the 
case's events on the channel, the channel is not updated until you close, 
then re-open (refresh) the channel. 

See also: 

• "Applying Rule Actions on Cases" on page 527 

• "Working with Events in Cases" on page 609 

operator, 

event 

field 
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Condition Tree Context Menu Commands, continued 


Command 

Description 

Applies 

To 

New Event 

Definition 

Create and name a new event alias to add to the root. 

Note: This option applies only to Rules. 

root 

Change 

Operator 

Change the rule operator to And, Or, or Not. 

operator 

Set Global 
Expiration 
Time 

For rules, set the amount of time that qualifying events for all aliases are 
retained in memory forevaluation, based on Manager receipt-time. 

Setting an alias expiration overrides a global expiration, if present. See 

"Specifying Rule Thresholds and Aggregation" on page 51 1 for more 
information. 

Note: This option applies only to Rules. 

root 

Align Nodes 

When selected, shows the hierarchical structure of event conditions. 

Note: This option applies only to Rules. 

root 

Edit 

Open a text box in which to change the selected element. 

operator, 

event 

field 

Undo 

Undo an action. 

all 

actions 

Redo 

Redo an action. 

all 

actions 

Cut 

Cut the selected elements of the condition tree to the Clipboard. 

root, 

event 

alias, 

operator, 

asset, 

event 

field 

Copy 

Copy the selected elements of the condition tree to the Clipboard. 

root, 

event 

alias, 

operator, 

asset, 

event 

field 
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Condition Tree Context Menu Commands, continued 


Applies 

Command Description To 

Paste 

Paste the conditional element currently on the Clipboard to the end of the 
selected element in the tree. 

root, 

event 

alias, 

operator, 

asset, 

event 

field 

Delete 

Delete the selected elements of the condition tree. 

event 

alias, 

operator, 

asset, 

event 

field 

Set Alias 

Expiration 

Time 

For rules, set the amount of time that a qualifying event for this alias 
(only) is retained in memory for evaluation, based on Manager receipt- 
time. See "Specifying Rule Thresholds and Aggregation" on page 51 1 for 
more information. 

Note: This option applies only to Rules. 

event 

alias 

Consume 

After Match 

Use the event only once to fire a rule. Thereafter, additional joins with 
other event conditions are not performed within the rule’s time window. 
This setting is used to reduce the number of correlation alerts. 

By default, this setting is off. 

If disabled, an event matching a rule’s event condition alias stays in 
working memory and continues to combine with events that match other 
aliases, until the event itself expires within the time window. 

Note: This option applies only to Rules. 

joins 

Negated 

For rules, a way to monitor the non-occurrence of an event. See 
"Negating Event Conditions" on page 506 for details on how to trigger 
rule actions based on negated events. Setting an event condition to 
Negated requires you to enter a timeout value. If the negated event is not 
sent from the device within this period, the rule is triggered. 

Note: This option becomes available if the rule has two or more event 
conditions. 

event 

condition 

alias 

Set Matching 
Time 

Sets the maximum time difference between the partially-matched 
aliases. 

Note: This option applies only to Rules. 

matching 

event 

operator 
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Condition Tree Context Menu Commands, continued 


Applies 

Command Description To 

Print 

Conditions 

and T ree 
Summary 

Prints the condition definition as shown on the Edit tab and the Summary 
statement. Selecting this menu option brings up a Print Preview dialog 
where you can view what will print, and set printer options. 

event 

alias, 

operator, 

asset 

Help 

Open the online Help system for information about the type of resource 
being edited. 

root, 

event 

alias, 

operator, 

asset, 

event 

field 


Adding Conditions 

When adding conditions, decide how the new condition ties to existing conditions. If AND is used, the 
new condition has to occur in addition to existing conditions. If OR is used, the new condition or any 
existing conditions have to occur. If NOT is used, all but the new condition has to occur. 

You use the AND, OR, and NOT operators to define relationships between condition statements. 
When you use AND, the new condition must occur in addition to the selected condition. Using OR 
means either the selected or new condition must occur. Using NOT means all but the new condition 
must occur. 


Tip: Multiple assets and asset categories added to a single asset condition are always OR’ed 
together (not AND’ed). 

For example, create a new rule, click the Conditions tab in the Rule Editor, select Assets, and 
add some asset categories to the condition. (To do this, select them on the Asset Categories tab 
at the bottom of the Editor and click Apply. 

Edit J Summary 
$ Event conditions 
9 {} event 1 
9 U Assets 

# Source Asset ID InGroup("/All Asset Categories/ArcSight System Administration/Consoles/") 

# Source Asset ID InGroup("/All Asset Categories/ArcSight System Administration/Managers/Local/") 

# Source Asset ID InGroup("/All Asset Categories/ArcSight System Administration/Databases/") 

Click the Summary tab to view the detail of the Boolean logic. This shows that the assets are 
OR’ed together. 
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I Edit | Summary [ 

event 1 : 

( Source Asset ID InGrouvl" /All Asset Cateqories/ArcSiqht System 
Administration/ Consoles /" ) Or Source Asset ID InGroup t " /All Asset 
Cateqories/ArcSiqht System Administration/Managers /Local/" ) Or Source Asset ID 
InGroup ( " /All Asset Cateqories/ArcSiqht System Administration/Databases/" ) ) 

If you want to AND an asset condition to other conditions, go back to the Edit tab, select the event 
definition again, and add other conditions based on the fields shown in the lower half of the editor. 

To add more condition statements, right-click an existing statement and choose New Logical 
Operator, then And, Or, or Not, or click a logical operator or resource-selection button. Then, create 
the new condition statement. 

Event-definition and Join conditions are allowed only with rules to include separate events or aliases, or 
correlation of these separate events respectively. 

In the data field table, scroll to a data field in the Name column to create a condition statement. 

Data fields provide event details from all devices deployed throughout your enterprise. Event details 
from these devices are normalized into common data fields and stored in the database to allow 
investigative and analytical comparison of all incoming events. See 'Data Fields" on page 885 and 
"Timestamp Variables" on page 1065 for more information. 

The data field table displays a Name, Operator, and Condition column. These three columns are 
combined to create <data field> clogic operators <data field value> condition statements. 
For example, if monitoring a Cisco Router, you could define a condition statement to specify Device 
Product = Cisco Router: Device Product as the data field, equals (=) as the logic operator, and 
Cisco Router as the data field value. 

Search Box to Find Fields in the List 


Tip: Search Shortcuts 

• Type part of the field name you want to find (for example, Name) in the Search box. 

. Use the up/down arrow keys tojump to each instance of Name in the available fields. 

• When you find the field name you want, press Return to add it to the condition statement 

• Ctrl+F re-displays the Search box back if it’s hidden. 


HP ESM (6.9.1c) 


Page 873 of 1106 




ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Search Box Example 


Search Shortcuts: f ’ 

Type part of the field name 
you want to find (e.g., Name) 
in the Search box. 

Use the up/down arrow keys 
to jump to each instance of 
"Name" in the available fields. 

When you find the field name 
you want, hit Return to add it 
to the selected query 
structure sections (SELECT, 
GROUP BY, or ORDER BY) 

Ctrl+F gets the Search box 
back in display if it’s hidden 



Field Comparisons with Variable or Static Values 

For any field comparison, a drop-down menu of variables is provided for the right side of the statement. 
Or you can type a value here. 


HP ESM (6.9.1c) 


Page 874 of 1106 



ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Inspect/Edit ri 1 ? x 

[ @ Filter Editor | 

I Attributes [ Filter [ Local Variables f Notes | 



| OK Cancel Apply Help 


The CCE provides afield comparison ability that allows you to compare one field to another field (for 
example, AttackerHostName = AttackerllserName). This functionality is available on the Console 
wherever the CCE is available (in "Rules", "Reports", "Filters", and soon). If the fields you are 
comparing are numeric, the fields can be of different numeric types, for example, a long type compared 
to a floating point type. 

Left-side event attributes can be compared to right-side conditions (represented as variables or static 
values) using operators like equals (=), is not equal to ( ! = ) , is less than or equal to (<=), is greaterthan 
or equal to (>=), is less than (<), is greaterthan (>), and so forth. 

Matching or Join Rules 

The Common Conditions Editor provides a convenient way for you to create a matching or join 
conditions for your standard rule. Refer to "Creating Matching or Join Conditions" on page 504 for 

details. 
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Using Field Sets 

The Common Conditions Editor provides access to all available 'Field Sets' you created. You can 
specify fields with particular values as part of conditions statements. See also "Creating and Using 
Field Sets" on page 546. 


You can select a particular field set, which limits the fields shown to a subset of all available field sets 
If you cannot find afield, click the "Clearfield set" button 13 to clear the field set selection and show 
the complete list of field sets. This clears the field set selection and shows the complete list of field 
sets. A common problem is having the common conditions editor (CCE) field display limited to a field 
set that does not include some fields you want to use in the condition. 


In the Conditions editor, you can specify fields with particular values on which to 
set conditions. If a particular Field set Is specified, only a subset of available fields 
will be displayed on the lower part of the panel. To display all fields, click the "Clear 
field set selection" button. When all field sets are showing, this button is disabled. 


"Clear field set 
selection” button 


Field sets and fields 
with which you can 
build conditions 



Selected field set 


For example, suppose you define a condition to look for two matching events; one in which Event 
Name contains "swipe" and another in which Event Name contains "login". You can set this condition 
with the "Standard" field set shown above because it includes the Event Name field in the list of 
available fields from which to choose. But if you wanted to add conditions based on an Event field for 
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"Correlated Event Count" or Threat field for "Model Confidence," you would clear the Field Set and view 
all fields to get access to these fields. 

Tip: Fields shown in italics are der/Vedfrom data in other fields. Derived fields show up in various 
places on the Console U I including on the Field Set editor, and the Common Conditions Editor 
(CCE) aggregation tabs (for example, Rules, Filters, and so forth). 


Adding or Removing Global Variables Using the CCE 

The Common Conditions Editor enables you to define a local variable to apply to the condition 
statement for that resource, and it also enables you to place Global Variables" in the condition by using 
the +/- Global Variables button (next to the Field Set selector) on the CCE. 

To add global variables and make them available for conditional statements in a resource: 

1. In the CCE for a given resource, click the +/-Global Variable button B +/- Global variable... 

The Global Variable Selector displays the Fields resource tree containing your selection of global 
variables. 

2. Select one or more variables you want to add and click OK. 

The variables are added as part of the available fields on the CCE under the Variables group. 

3. On the CCE, scroll to the bottom of the available fields. You can use these variables in condition 
statements for this resource. 
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To remove one or more global variables from the available fields list in the CCE for 
a resource: 

1. In the CCE for a given resource, click the +/-Global Variable button U+ -- r ] 

2. On the Global Variable Selector dialog, click to de-select one or more variables you want to 
remove and click OK. 

3. The variables are removed from the list of available fields in the CCE. 

For more information about global variables, see "Global Variables" on page 555. 

For information about variables in general, see "Variables" on page 1069. 

For information about using variables with velocity expressions, see "Velocity Templates" on 
page 1093. 


Testing for Zone Relevance 

Events include several "Data Fields that are related to zones (see "Assets" on page 797). In the 
Common Conditions Editor you can compare these fields with asset groups or categories, to test 
whether the field's event does or does not correlate with those asset properties. This comparison is 
performed by the InGroup operator. 

For example, if an event's Attacker Zone field value and a Source Asset ID's System Asset 
Categories' Criticality value correlate, then the InGroup operator would test True. You can apply this 
outcome in your reports, rules, or filters. 

Note: The InGroup operator is inserted automatically when you create zone-asset correlation 
statements in the Common Condition Editor. There is no button or command to manually insert the 
operator. 

The InGroup operator tests True for specified asset resources and their parents but not for their own 
peers or their parent's peers. 

1 . In the Conditions tab of any appropriate editor, set a logical operator for a zone-related field (for 
example, Destination Zone). 

2. In the same field, click the ellipses button (...)• In the Select a Zone dialog, enter a prompt for the 
condition, select the Parameter checkbox, then choose a zone from the resource tree. 

3. Right-click the new statement in the editor and choose AND, then right-click the AND statement 
and choose New Assets Condition. 

4. In the Asset resources panel below, choose the Source, Target, or other type of relevant asset ID. 

5. For that asset ID type, click the Assets or Asset Categories tab and select an asset group or 
category to test with the InGroup operator. 
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6. Click Apply in the Assets resources panel to add the asset group or category to the condition 
statement, with the embedded Ingroup operator. 

Conditional Statements 

This table offers sample conditional expressions you can create using various operators, event fields, 
and data types. 

Data Types in Conditional Statements 


ArcSight 

Data 

Types 

Description 

Number 

or 

Integer, 

including 

MAC 

Address 

Using numeric (integer) fields, you can specify operators including =, !=,<,<=, >=, >, 
and In to specify a numeric comparison expression, for example: CustomNumberl = 50. 

To use In, you can specify any number of comma-separated values to match (or equal). 

Use the above operators for MAC addresses, for example: 

Attacker Mac Address != <Mac address> 

String 

Using string fields, you can specify operators including =, ! =, and In, Contains, 

Matches, Starts With, Ends With, and Like to define a string comparison expression. 
For example: ArcSightCategory StartsWith /Attack or ArcSightCategory = 
/AttackSuccess 

DateTime 

Using DateTime fields, you can specify operators including =, ! =, Between, In, and On 
to specify a datetime comparison expression. For example: DetectT ime Between 

4/1/03 11:30:01AM, 4/1/03 4:30:01PM. 

You can enter DateTime values directly or click the ellipsis (...) button to select a date 
from a pop-up calendar or a special date keyword list. Special date keywords you can 
use are: Now, 1 or 2 hours ago, 1 or 2 days ago, 1 or 2 weeks ago, or a replay 
start and end time. You can also use special system variables such as: 

• $CurrentDateT ime: for the date and time the report is run; the system variable is 
replaced by the current date and time value." 

• $CurrentDate: for the date the report is run; the system variable is replaced with the 
date value, truncating the time of the day to 0, when the report is scheduled or run. 

You can specify certain date operations with these system variables to add or subtract a 
number of specified days or hours. For example, you could type: $CurrentDate - 7d 
for seven days before the date the report is run, the condition evaluates to a date which 
is the current date minus seven days, or$CurrentDateTime - 12h, which evaluates to 
the current date time minus 12 hours. 
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Data Types in Conditional Statements, continued 


ArcSight 

Data 

Types 

Description 

IP 

Address 

Using IP address fields, you can specify operators including =, ! =, In, InSubnet, and 
Between to specify an IP comparison expression. For example: TargetAddress = 
192.0.2.0. With the In operator, you can also specify a comma-separated list of IP 
addresses to match and, with InSubnet, can also specify IP address ranges in CIDR 
format, or use InSubnet to specify an range of addresses in a specific subnet. 


These same rules apply to the conditions editor used in defining rules, creating conditional reports, and 
filters. 

Tip: Using variables 

You can use all of the dynamic time parameters you see in the Active Channel Editor and 
elsewhere, such as $Nowand $CurrentDateTime. The same is true for time elements, including s 
(second), m (minute), d (date), M (month), w (week), and y (year). To use any event data field as a 
variable, express its displayed name as a one-word, camel case string prefixed with a dollar sign; 
for example, "Source Address" is $sourceAddress. See the complete discussion in the topic 
"Variables" on page 1069. 


Conditions 

Conditions are logical expressions (see "Logical Operators" on page 999) used to qualify "Events' or 
other grouping of elements. Conditions can be specified in a number of places using a common 
condition editor; for example, to define rules or filters. 


Parameterized Conditions 

Some conditions can be parameterized, for example in reports, where the exact value specified for a 
condition match is provided at the time you are running the report. You do this through the Reports 
Parameter popup. This lets report authors define default parameter values for the report with the option 
to override for a specific report run. 
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This is a convenience for people running the report as it does not require write permissions while 
running the report, but effectively provides the same flexibility as being able to modify the report. Note 
that when defining parameters for detect time, you should always include a BETWEEN condition so 
that the report is limited to a certain time range, and does not scan the entire event table. Otherwise, it 
can severely impact the Manager information-retrieval performance. 

1 . You can select the ellipsis (...) button and then select the Parameter checkbox to create a 
parameter prompt for selected data fields of a report. When users run the report, they are first 
prompted to enter values for these parameters. When specifying a report parameter, you can 
define the prompt that is displayed to users, as well as specify a default value that is displayed in 
the prompt field. 

2. In the case-sensitive column (Aa), select the checkbox if the data field needs to be case- 
sensitive. 

3. In the negate condition column (the "No" symbol), select the checkbox to change conditions to all 
but this statements. 

For example, if the condition statement is Device Product = Cisco Router and the negate 
condition checkbox is selected, all events but those from the Cisco Router generate a correlation 
event. 

Note: You can set some conditions such that the exact value is provided at the time of 
running the report through a parameter pop-up box. This lets report authors give default 
parameter values, which can be overridden by the user running the report. This is a very 
useful convenience for people running the report as it does not require write permissions while 
running the report but effectively provides the same flexibility as being able to modify the 
report. Note that when defining parameters for detect time, you should always include a 
BETWEEN condition so that the report is limited to a certain time range, and does not scan 
the entire event table. Otherwise it can severely impact the performance of Manager, 
retrieving information from the database. 

4. Click outside the data field row. 
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The condition statement (<datafield> <logic operator <data field value>) appears as a branch 
under the logical operator. 

5. On the Conditions tab, click OK. 

These same rules apply to the conditions editor used in creating other resources such as rules and 
reports. 


Content 

ArcSight provides preconfigured "Resources", also known as content, in the form of packages. 
Content packages are automatically installed to provide out-of-box resource suites that you can start 
using immediately to monitor and protect your network. Also, you can develop your own custom 
content with the editors and tools provided. 


Content Packages 

ArcSight ships with system content already developed that addresses common security and regulatory 
use cases. These use cases combine many resources to address multi-faceted issues. You can use 
system content as is, or modify it with data specific to your network environment. System content is 
delivered as packages. (See "Packages".) System content packages are automatically installed as a 
part of ArcSight to provide out-of-box resource suites that you can start using immediately to monitor 
and protect your network. (See also "Resources' .) 

The content packages provided with a standard installation are: 

• ArcSight Administration 

• ArcSight System 


Custom Content 

The term "custom content" refers to resources and solutions created by customers using ArcSight 
software. Examples of custom content are user-configured "Rules", "Filters", "Active Channels", 
"Queries", "Trends", and "Reports" designed to address customer-specific scenarios. 


SmartConnector Content 

ArcSight continuously develops new SmartConnector event categorization mappings, which are often 
called "content." All existing content is included with major product releases, but it is also possible to 
get regular content updates to stay completely current. 

ArcSight makes available to subscribing customers downloadable packages of new SmartConnector 
content. These releases occur frequently, generally on a bi-weekly basis. The download files are 
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offered through a special subdirectory on an HP software server. This directory is visible only to 
subscribers, who receive a notification e-mail from HP Customer Support when the files are posted. 

The content is packaged in . aup (update) files which may be wrapped in .ZIP files for transmission 
convenience. You place these . aup files in the Manager's /updates directory, where the Manager 
automatically finds the content and pushes it to the SmartConnectors. The affected SmartConnectors 
each register an internal event when the update occurs and can notify you by e-mail through the 
Manager. 

Contact your HP Customer Support representative to arrange for a content subscription. 


CORR-Engine 

The CORR-Engine is the central repository for all events. Once an event occurs, its Data Fields such 
as severity, create time, rules triggered, and so forth are stored in event archives in the CORR-Engine. 
The CORR-Engine stores all enterprise events in a normalized schema. You can then investigate and 
analyze the event information. The Manager is the only component that communicates with the CORR- 
Engine. Also see "Schema" on page 1037. 


Correlation 

Correlation is logically linking events based on multiple conditions. 

See 'Identity Correlation" on page 569 for more information on using session correlation, and see 
"Rules Authoring" on page 493. 


Correlation Rule 

A programmed procedure that expresses conditions and actions, and evaluates normal or correlation 
events. A rule has two parts: a condition and an action. 

A condition determines whether a state exists and satisfies related expressions. If so, an action 
expression defines the response to the condition. 

A rule can have one or more conditions. If there is one condition, the rule acts as a filtering tool. If there 
is more than one condition, the rule acts as a correlation tool. A rule can be created for any incoming 
event from one or more event generators, with various conditions, logic statements, and thresholds. 

See 'Identity Correlation" on page 569 for details on using session correlation. 


Customers 

To support managed security service providers (MSSPs), and larger enterprises that need to track 
activity related to cost centers or divisions, ArcSight can identify particular customers as the source of 
specific events. 
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"Customers" can be any client, tenant, or internal identity scheme you designate. 

To use the Customers resource, you first model your existing customer or client base into the 
Customers resource tree in the Navigator panel, as described in "Managing Customers" on page 138. 
Then, using the Customer URI values established in the resource tree, you configure the appropriate 
SmartConnectors to report these values through their Customer URI attributes. 

Once you have implemented your Customer resource tree in the ArcSight Console, and configured the 
relevant SmartConnectors to report these Customer URIs, you can apply the Customer resources as 
filter condition arguments. 

For example, your Customers resource tree might include a branch that translates into a Customer URI 
of: /All Customers/Brokerages/Central States/Kansas City/Jones&Co. 

In the SmartConnectors resource tree, for those connectors that apply to this customer, you would 
apply this same string as the value for those connectors' Customer URI attribute, found under the 
Network section of the Connector: Default: Content tab. Thereafter, events reported by those 
connectors can be filtered in or out by referencing that branch of the Customers resource tree. 


Dashboards 

Dashboards are a graphical display of data gathered from one or more "Data Monitors". Dashboards 
can display data in a number of graphical formats, including pie and barcharts, tables, and custom 
layouts. 

Data monitors are views within the dashboard that can be configured to report on events, filters, rules, 
and other data or information that is of particular interest to you. Data monitors can be arranged within 
dashboards in numerous viewing layouts. 

When you right-click in a dashboard, you can choose from options described in "Dashboard Context 
Menu Commands" below. 


Dashboard Context Menu Commands 


Option Description 

Save Dashboard 

Save any changes you have made to the dashboard and its data 
monitors. 

Save As 

Save the configured data monitors and dashboard under a different 

name. 

Close Dashboard 

Close the dashboard and remove it from the Viewer panel. 

Dashboard>Zoom In/ 

Zoom Out / Fit in 

Visually enlarge or reduce the data monitors presented in the Viewer 
panel. Size the data monitors to allow them to all appear simultaneously 
in the current Viewer panel. 
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Option 

Description 

Data Monitor>Edit 

Edit the current data monitor in the Inspect/Edit panel. 

Data Monitor>Disable 

T urn off the current data monitor. 

Data Monitor>Float / 
Minimize / Close 

Float, minimize, or close the current data monitor. 

Show>DataMonitorName 

Restore minimized data monitors. 

Show Details / Show 
Detailed Channels 

Show the event details for the currently selected element in a data 
monitor graphic, such as a pie chart, or display each of the monitor's 
elements in detail in separate active channel grids. This is also called 
"drilling down." 

Investigate 

Create an active channel or filter condition based on the highlighted 
event. The Investigate command uses the event's attribute type (its 
column heading), and the particular event's field value (for example, an 
exact IP address), to formulate filtered channels based on these two 
factors. The operators can include Create Channel [X = Y] and Add 
Condition [X = Y] to Editor. 

Tools 

Choose one of the network tools to explore the origin of the selected 
event item. 

Show Scroll Bar 

Toggles a scroll baron and off in the selected data monitor. Use the 
scroll bar to show additional rows of tabular data if present. 

Export > Data 
Monitor/Dashboard as ... 

Save the selected data monitor or the dashboard in the JPEG (graphic), 
CSV (comma-separated value or text-based), or HTML file format. 


Data Fields 

Processed events are composed of several attributes, each of which is a data field with its own 
characteristics. These event schema data fields fall into the groups shown in the following sections. 

Each attribute has both a Label that you see in the ArcSight Console and a unique Script Alias you 
use to refer to the attribute in filters, rules, or Velocity templates. The Data Type lets you know how to 
handle the attribute, and the Default Turbo Level indicates whether an attribute is, by default, 
classified as 1 (essential, or "fastest") or 2 (optional, or "faster"). Turbo Level 3 ("complete") isn't 
designated because it applies to additional data not represented here. 

The easiest way to view all event fields is on the Event Inspector (Event tab) or Common Conditions 
Editor (CCE) on the Console. (To bring up the Event Inspector select an event in a grid view like an 
active channel. Right-click and choose Show event details. The event's details appear in the Event 
Inspector.) To view all event fields, make sure that no field set is selected to limit the set of fields 
shown. (Select Clear from the drop-down menu above the list of event fields. With no field set 
selected, the drop-down shows “Select a Field Set”.) 
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Note: Fora list of ArcSight’s Common Event Format (CEF) abbreviations, ask your ArcSight 
Support representative for the tech note entitled Implementing ArcSight CEF. 


Connector Group 

This group category falls into the device-to-Manager information chain. The chain begins at Device, 
which is the actual network hardware that senses an event. In cases where data is concentrated or 
otherwise pre-processed, it may be passed to a trusted reporting Final Device before reaching an 
Original Connector. Although the Original Connector is usually the only connector, if the data 
passes up through a Manager hierarchy, the chain includes handling by Connector stages that are the 
ArcSight Forwarding Connectors that facilitate Manager-to-Manager connections. 

Note: Since connectors are not registered to the local Manager, the Original Agent is not known 
and all the Original Agent fields are therefore blank and do not need to be displayed. 


Connector Group Data Fields 


Default 

Turbo Connector Group 

Label Script Alias Data Type Level Field Description 

Address 

connectorAddress 

IP address 

1 

The IP address of 
the device hosting 
the SmartConnector. 

Asset ID 

connectorAssetld 

Resource 

1 

The asset that 
represents the 
device hosting the 
SmartConnector. 

Asset 

Name 

connectorAssetName 

String 

1 

The connector's 

asset name. 

Asset 

Resource 

connectorAssetResource 

Resource 

1 

The connector 

resource. 

Descriptor 

ID 

connectorDescriptorld 

ID 

1 

The connector 
descriptor. 

DNS 

Domain 

connectorDnsDomain 

String 

1 

The Domain Name 

Service domain 

name associated 

with the device 
hosting the 
SmartConnector. 
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Connector Group Data Fields, continued 


Default 

T u rbo C on nector Grou p 

Label Script Alias Data Type Level Field Description 

Host 

Name 

connectorHostName 

String 

1 

The name of the 
device hosting the 
SmartConnector. 

ID 

connectorld 

String 

1 

The identifier 

associated with the 

SmartConnector 
configuration 
resource. The format 
is connectorlD(l) | 
connectorlD(2) | ... 

MAC 

Address 

connectorMacAddress 

MacAddress 

1 

The MAC address 

associated with the 

SmartConnector 
(which may or may 
not be the MAC 

address of the host 
device.) 

Name 

connectorName 

String 

1 

The user-supplied 
name of the 

associated 

SmartConnector 

configuration 

resource. 

NT 

Domain 

connectorNtDomain 

String 

1 

The Windows NT 

domain associated 

with the device 
hosting the 
SmartConnector. 

Receipt 

Time 

connectorReceiptTime 

DateTime 

2 

The time the event 

arrived at the 

SmartConnector. 

Severity 

connectorSeverity 

Connector 

Severity 

Enumeration 

1 

The normalized 
ArcSight form of the 
event severity value 
provided by the 
SmartConnector. 
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Connector Group Data Fields, continued 


Default 

T u rbo C on nector Grou p 

Label Script Alias Data Type Level Field Description 

Time Zone 

connectorTimeZone 

String 

1 

The time zone 
reported by the 
device hosting the 
SmartConnector (as 
TLA). 

Time Zone 

Offset 

connectorTimeZoneOffset 

Integer 

1 

The time zone 
reported by the 
device hosting the 
SmartConnector 
(shown as a UTC 
offset). Note that 
device times may be 
less accurate than 

other sources. 

Translated 

Address 

connectorT ranslatedAddress 

IP address 

1 

If network address 

translation is an 
issue, this is the 
translated IP 

address of the 
device hosting the 
SmartConnector. 

Translated 

Zone 

connectorT ranslatedZone 

Zone 

1 

If network address 

translation is an 
issue, this is the 
Network Zone 

associated with the 

translated IP 

address of the 
device hosting the 
SmartConnector. 

Translated 

Zone 

External 

ID 

connectorTranslatedZoneExternallD 

String 

1 

Returns the external 

ID for this reference. 

Translated 

Zone ID 

connectorT ranslatedZonelD 

String 

1 

Returns the ID for 
the resource in this 

resource reference. 
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Connector Group Data Fields, continued 


Default 

T u rbo C on nector Grou p 

Label Script Alias Data Type Level Field Description 

Translated 

Zone 

Name 

connectorTranslatedZoneName 

String 

1 

Returns the name 

from the URI. It 

assumes that the 
name is always the 
last field of the URI. 

Translated 

Zone 

Reference 

ID 

connectorTranslatedZoneReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference is stored 
and uniquely 
identified in the 

database. 

Translated 

Zone 

Resource 

connectorT ranslatedZoneResource 

Resource 

1 

Locates the resource 
described by this 
reference. 

Translated 

Zone URI 

connectorTranslatedZoneURI 

String 

1 

Returns the URI for 

this reference. 

Type 

connectorType 

String 

1 

A description of the 
type of 

SmartConnector that 
reported the event. 

Version 

connectorVersion 

String 

1 

The software 

revision number of 

the SmartConnector 
that reported the 
event 

Zone 

connectorZone 

Zone 

1 

The network zone in 

which the device 
hosting this 
SmartConnector 

resides. 

Zone 

External 

ID 

connectorZoneExternal 1 D 

String 

1 

Returns the external 

ID for this reference. 

Zone ID 

connectorZonelD 

String 

1 

Returns the ID for 
the resource in this 

resource reference. 
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Connector Group Data Fields, continued 


Default 

T u rbo C on nector Grou p 

Label Script Alias Data Type Level Field Description 

Zone 

Name 

connectorZoneName 

String 

1 

Returns the name 
from the URI, which 
is always assumed 
to be the last field of 

the URI. 

Zone 

Reference 

ID 

connectorZoneReferencel D 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
stored and uniquely 
identified in the 

database. 

Zone 

Resource 

connectorZoneResource 

Resource 

1 

Locates the resource 
described by this 
reference. 

Zone URI 

connectorZoneURI 

String 

1 

Returns the URI for 

this reference. 


Attacker Group 


Attacker Group Data Fields 


Default 

Turbo Attacker Group 

Label Script Alias Data Type Level Field Description 

Address 

attackerAddress 

IP address 

1 

The IP address of 
the device hosting 
the attacker. 

Asset ID 

attackerAssetld 

Resource 

2 

The asset that 
represents the 
device hosting the 
attacker. 

Asset 

Name 

attackerAssetName 

String 

2 

The name of the 

asset that 
represents the 
device hosting the 
attacker. 
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Attacker Group Data Fields, continued 


Default 

Turbo Attacker Group 

Label Script Alias Data Type Level Field Description 

Asset 

Resource 

attackerAssetResource 

Resource 

2 

The Resource of the 

asset that 
represents the 
device hosting the 
attacker. 

DNS 

Domain 

attackerDnsDomain 

String 

2 

The Domain Name 

Service domain 

name associated 

with the device 
hosting the attacker. 

FQDN 

attackerFqdn 

String 

2 

The fully qualified 
domain name 

associated with the 
device hosting the 
attacker. 

Geo 

attackerGeo 

GeoDescriptor 

1 

The geographical 
information. 

Geo 

Country 

Code 

attackerGeoCountryCode 

String 

1 

The identifier for the 
national-political 
state in which a 

device resides. 

Geo 
Country 
Flag URL 

attackerGeoCountryFlagUrl 

String 

1 

The URL of an 
image of the flag of 
the national-political 
state in which the 

device resides. 

Geo 

Country 

Name 

attackerGeoCountryName 

String 

1 

The name of the 
national-political 
state where a device 

resides. 

Geo 

Descriptor 

ID 

attackerGeoDescriptorld 

ID 

1 

The internal ID of the 

geographical 

reference. 

Geo 

Latitude 

attackerGeoLatitude 

Double 

1 

The latitude of a 

device. 

Geo 

Location 

Info 

attackerGeoLocationlnfo 

String 

2 

Other, free-form text 
information about the 

device's location. 
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Attacker Group Data Fields, continued 


Default 

Turbo Attacker Group 

Label Script Alias Data Type Level Field Description 

Geo 

Longitude 

attackerGeoLongitude 

Double 

1 

The Longitude of a 
device. 

Geo 

Postal 

Code 

attackerGeoPostalCode 

String 

1 

The postal code of 
the device's 
location, as 
assigned by the 
national-political 
state where it 

resides. 

Geo 

Region 

Code 

attackerGeoRegionCode 

String 

1 

The identifier of the 
sub-region of the 
national-political 
state where a device 
resides. The style of 
the identifier varies 
with the host 
country. 

Host 

Name 

attackerHostName 

String 

2 

The name of the 
device hosting the 
attacker. 

MAC 

Address 

attackerMacAddress 

MAC address 

2 

The MAC address 

associated with the 

source of the attack 
(which may or may 
not be the MAC 

address of the host 
device). 

NT 

Domain 

attackerNtDomain 

String 

2 

The Windows NT 

domain associated 

with the device 
hosting the attacker. 

Port 

attackerPort 

Integer 

1 

The network port 
associated with the 

source of the attack. 

Process 

ID 

attackerProcessid 

Integer 

2 

The ID of the 
process associated 
with the source of 

the attack. 
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Attacker Group Data Fields, continued 


Label 

Script Alias 

Data Type 

Default 

Turbo 

Level 

Attacker Group 

Field Description 

Process 

Name 

attackerProcessName 

String 

2 

The name of process 
associated with the 

source of the attack. 

Service 

Name 

attackerServiceName 

String 

2 

The name of service 

associated with the 

source of the attack. 

Translated 

Address 

attackerT ranslatedAddress 

IP address 

1 

If network address 

translation is an 
issue, this is the 
translated IP 

address of the 
device hosting the 
attacker. 

Translated 

Port 

attackerT ranslatedPort 

Integer 

1 

If network address 

translation is an 
issue, this is the 
translated source 
port associated with 
the attack. This can 
happen in a NAT 
environment. 

Translated 

Zone 

attackerT ranslatedZone 

Zone 

1 

If network address 

translation is an 
issue, this is the 
network zone 

associated with the 

translated IP 

address of the 
device hosting the 
attacker. 

Translated 

Zone 

External 

ID 

attackerTranslatedZoneExternallD 

String 

1 

Returns the external 

ID for this reference. 

Translated 

Zone ID 

attackerT ranslatedZonelD 

String 

1 

Returns the ID for 
the resource in this 
resource reference. 
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Attacker Group Data Fields, continued 


Default 

Turbo Attacker Group 

Label Script Alias Data Type Level Field Description 

Translated 

Zone 

Name 

attackerT ranslatedZoneName 

String 

1 

See the common set 

of resource 

attributes. It is 

assumed that the 
name is always the 
last field of the URI. 

Translated 

Zone 

Reference 

ID 

attackerTranslatedZoneReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
stored and uniquely 
identified in the 

database. 

Translated 

Zone 

Resource 

attackerT ranslatedZoneResource 

Resource 

1 

Locates the resource 
described by this 
reference. 

Translated 

Zone URI 

attackerT ranslatedZoneURI 

String 

1 

Returns the URI for 

this reference. 

User ID 

attackerUserld 

String 

2 

The identifier 

associated with the 
OS or application of 
the attacker, at the 
source of the attack. 

User 

Name 

attackerUserName 

String 

2 

The name 

associated with the 
attacker, at the 
source of the attack. 

User 

Privileges 

attackerUserPrivileges 

String 

2 

The user-privilege 
associated with the 
attacker, at the 
source of the attack. 

Zone 

attackerZone 

Zone 

1 

The network zone in 

which the attacker's 

device resides. 

Zone 

External 

ID 

attackerZoneExternallD 

String 

1 

Returns the external 

ID for this reference. 
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Attacker Group Data Fields, continued 


Default 

Turbo Attacker Group 

Label Script Alias Data Type Level Field Description 

Zone ID 

attackerZonelD 

String 

1 

Returns the ID for 

the resource in this 

resource reference. 

Zone 

Name 

attackerZoneName 

String 

1 

Returns the name 
from the URI, which 
is always assumed 
to be the last field of 

the URI. 

Zone 

Reference 

ID 

attackerZoneReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
stored and uniquely 
identified in the 

database. 

Zone 

Resource 

attackerZoneResource 

Resource 

1 

Locates the resource 
described by this 
reference. 

Zone URI 

attackerZoneURI 

String 

1 

See the common set 

of resource 

attributes. 


Category Group 


Category Group Data Fields 


Label 

Script Alias 

Data 

Type 

Default 

Turbo 

Level 

Category Group Field 

Description 

Behavior 

categoryBehavior 

String 

1 

Describes the action taken with or 
by the object. 

Custom 

Format 

Field 

categoryC ustomFormatField 

String 

1 

Describes the content of a custom 
formatted field, if present. 

Descriptor 

ID 

categoryDescriptorld 

ID 

1 

The unique ID for the sensor that 
reported the event 
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Category Group Data Fields, continued 


Default 

Data Turbo Category Group Field 

Label Script Alias Type Level Description 

Device 

Group 

categoryDeviceGroup 

String 

1 

The type of event. For example, 
logging into a firewall is an 

Operating System type of event. 

Device 

Type 

categoryDeviceType 

String 

2 

The type of device. For example, 
logging into a firewall, would show 
the Device Type as Firewall. 

Object 

categoryObject 

String 

1 

Describes the physical or virtual 
object that was the focus of the 
event 

Outcome 

categoryOutcome 

String 

1 

Indicates whether the action was 
successfully applied to the object. 

Significance 

categorySignificance 

String 

1 

Characterizes the event from a 

network-intrusion-detection 

perspective. 

Technique 

categoryT echnique 

String 

1 

Describes the method used to 
apply the action to the object. 

Tuple 

Description 

categoryT upleDescription 

String 

1 

The prose description of the event 
category, assembled from the 
category components. 


Destination Group 


Destination Group Data Fields 


Label 

Script Alias 

Data Type 

Default 

Turbo 

Level 

Destination 

Group Field 
Description 

Address 

destinationAddress 

IP address 

1 

The IP address of 

the destination 

device. 

Asset ID 

destinationAssetld 

Resource 

2 

The asset that 
represents the 
device that was 

the network 

traffic's 

destination. 
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Destination Group Data Fields, continued 


Default Destination 

Turbo Group Field 

Label Script Alias Data Type Level Description 

Asset 

Name 

destinationAssetName 

String 

2 

The name of the 

device. 

Asset 

Resource 

destinationAssetResource 

Resource 

2 

See the common 

set of resource 

attributes. 

DNS 

Domain 

destinationDnsDomain 

String 

2 

The Domain 

Name Service 

domain name 

associated with 

the user at the 

destination 

device. 

FQDN 

destinationFqdn 

String 

2 

The fully qualified 
domain name 

associated with 

the destination 

device. 

Geo 

destinationGeo 

GeoDescriptor 

1 

See the common 

set of 

geographical 

attributes. 

Geo 

Country 

Code 

destinationGeoCountryCode 

String 

1 

The identifier for 

the national- 
political state in 
which a device 

resides. 

Geo 
Country 
Flag URL 

destinationGeoCountryFlagUrl 

String 

1 

The URL of an 
image of the flag 
of the national- 
political state in 
which the device 

resides. 

Geo 

Country 

Name 

destinationGeoCountryName 

String 

1 

The name of the 
national-political 
state where a 

device resides. 
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Destination Group Data Fields, continued 


Default Destination 

Turbo Group Field 

Label Script Alias Data Type Level Description 

Geo 

Descriptor 

ID 

destinationGeoDescriptorld 

ID 

1 

The internal ID of 
the geographical 
reference. 

Geo 

Latitude 

destinationGeoLatitude 

Double 

1 

The destination 
latitude of the 

device. 

Geo 

Location 

Info 

destinationGeoLocationlnfo 

String 

1 

Other, free-form 
text information 

about the device's 

location. 

Geo 

Longitude 

destinationGeoLongitude 

Double 

1 

The destination 
longitude. 

Geo 

Postal 

Code 

destinationGeoPostalCode 

String 

1 

The postal code 
of the device's 
location, as 
assigned by the 
national-political 
state where it 

resides. 

Geo 

Region 

Code 

destinationGeoRegionCode 

String 

1 

The identifier of 
the sub-region of 
the national- 
political state 
where a device 
resides. The style 
of the identifier 

varies with the 
host country. 

Host 

Name 

destinationHostName 

String 

2 

The name of the 

destination 

device. 
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Destination Group Data Fields, continued 


Default Destination 

Turbo Group Field 

Label Script Alias Data Type Level Description 

MAC 

Address 

destinationMacAddress 

MAC address 

2 

The MAC address 

associated with 

the network 

traffic's 

destination (which 
may or may not 
be the MAC 

address of the 
host device). 

NT 

Domain 

destinationNtDomain 

String 

2 

The Windows NT 

domain 

associated with 

the destination 

device. 

Port 

destinationPort 

Integer 

1 

The network port 
associated with 

the network 

traffic's 

destination. 

Process 

ID 

destinationProcessid 

Integer 

2 

The ID of the 

process 

associated with 

the network 

traffic's 

destination. 

Process 

Name 

destinationProcessName 

String 

2 

The name of the 

process 

associated with 

the network 

traffic's 

destination. 

Service 

Name 

destinationServiceName 

String 

2 

The name of 

service 

associated with 

the network 

traffic's 

destination. 
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Destination Group Data Fields, continued 


Default Destination 

Turbo Group Field 

Label Script Alias Data Type Level Description 

Translated 

Address 

destinationT ranslatedAddress 

IP address 

1 

If network 

address 

translation is an 
issue, this is the 
translated IP 

address of the 

device that was 

the network 

traffic's 

destination. 

Translated 

Port 

destinationT ranslatedPort 

Integer 

1 

If network 

address 

translation is an 
issue, this is the 
translated source 
port associated 
with the attack. 

Translated 

Zone 

destinationT ranslatedZone 

Zone 

1 

If network 

address 

translation is an 
issue, this is the 
network zone 

associated with 

the translated IP 

address of the 

device at the 

network's traffic's 
destination. 

Translated 

Zone 

External 

ID 

destinationTranslatedZoneExternallD 

String 

1 

Returns the 

external ID for 

this reference. 

Translated 

Zone ID 

destinationTranslatedZonelD 

String 

1 

Returns the ID for 

the resource in 

this resource 

reference. 
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Destination Group Data Fields, continued 


Default Destination 

Turbo Group Field 

Label Script Alias Data Type Level Description 

Translated 

Zone 

Name 

destinationTranslatedZoneName 

String 

1 

Returns the name 
from the URI, 
which is always 
assumed to be 

the last field of the 

URI. 

Translated 

Zone 

Reference 

destinationTranslatedZoneReferencelD 

ID 

1 

See the common 

set of resource 

attributes. 

Translated 

Zone 

Resource 

destinationTranslatedZoneResource 

Resource 

1 

Locates the 

resource 

described by this 
reference. 

Translated 

Zone URI 

destinationTranslatedZoneURI 

String 

1 

Returns the URI 
for this reference. 

User ID 

destinationUserld 

String 

2 

The OS- or 

application-based 

identifier 

associated with 

the user at the 
network traffic's 
destination. 

User 

Name 

destinationUserName 

String 

2 

The name 

associated with 

the user at the 

network traffic's 

destination. 

User 

Privileges 

destinationUserPrivileges 

String 

2 

The privileges 
accorded the user 

at the network 

traffic destination. 

Zone 

destinationZone 

Zone 

1 

The network zone 

in which the 
destination device 

resides. 

Zone 

External 

ID 

destinationZoneExternallD 

String 

1 

Returns the 

external 1 D for 

this reference. 
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Destination Group Data Fields, continued 


Default Destination 

Turbo Group Field 

Label Script Alias Data Type Level Description 

Zone ID 

destinationZonelD 

String 

1 

Returns the ID for 

the resource in 

this resource 

reference. 

Zone 

Name 

destinationZoneName 

String 

1 

Returns the name 
from the URI, 
which is always 
assumed to be 

the last field of the 

URI. 

Zone 

Reference 

ID 

destinationZoneReferencelD 

ID 

1 

Returns the 
unique descriptor 

ID for this 

reference. This is 
populated only if 
this reference has 

been stored and 
uniquely identified 
in the database. 

Zone 

Resource 

destinationZoneResource 

Resource 

1 

Locates the 

resource 
described by this 
reference. 

Zone URI 

destinationZoneURI 

String 

1 

See the common 

set of resource 

attributes. 


Device Group 

This category falls into the device-to-Manager information chain. The chain begins at Device, which is 
the actual network hardware that senses an event. In cases where data is concentrated or otherwise 
pre-processed, it may be passed to a trusted reporting Final Device before reaching an Original 
Connector. Although the Original Connector is usually the only connector, if the data passes up 
through a Manager hierarchy the chain includes handling by Connector stages that are the Manager 
SmartConnectors that facilitate Manager-to-Manager connections. 
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Device Group Data Fields 


Default 

Turbo Device Group Field 

Label Script Alias Data Type Level Description 

Action 

deviceAction 

String 

2 

The device-specific 
description of some 
activity associated with 
the event 

Address 

deviceAddress 

IP address 

1 

The IPv4 address of the 
device hosting the 

sensor. 

Note: For IPv6 address 
data type, see 'Device 
Custom Group" on 
page 907. 

Asset ID 

deviceAssetld 

Resource 

1 

The asset that 
represents the device 
hosting the sensor. 

Asset 

Name 

deviceAssetName 

String 

1 

The name of the device. 

Asset 

Resource 

deviceAssetResource 

Resource 

1 

The resource the asset 
represents. 

Descriptor 

ID 

deviceDescriptorld 

ID 

1 

The asset's descriptor 

ID. 

Direction 

deviceDirection 

Device 

Direction 

Enumeration 

2 

Whether the traffic was 

inbound or outbound. 

DNS 

Domain 

deviceDnsDomain 

String 

1 

The Domain Name 

Service domain name 

associated with the 
device hosting the 

sensor. 

Domain 

deviceDomain 

String 

2 

The specific domain 
containing the sensor 
device associated with 

the event 

Event 

Category 

deviceEventCategory 

String 

2 

The category 
description included 
with the event as 
reported by the device. 
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Device Group Data Fields, continued 


Default 

Turbo Device Group Field 

Label Script Alias Data Type Level Description 

Event 

Class ID 

deviceEventClassId 

String 

2 

The device-specific 
identifier associated 
with this type of event 

Note: A generic UNIX 
syslog parser displays 
the ID in this format: 

arcsightix.x 

External 

ID 

deviceExternalld 

String 

1 

The external identifier 

associated with this 
sensor device, if 
provided by the vendor. 

Facility 

deviceFacility 

String 

1 

The sensor submodule 
that reported the event 

Host 

Name 

deviceHostName 

String 

1 

The name of the device 
hosting the sensor. 

Inbound 

Interface 

devicelnboundlnterface 

String 

1 

The NIC card on the 

sensor device that 

received the network 

traffic associated with 

the event. 

MAC 

Address 

deviceMacAddress 

MAC 

address 

1 

The MAC address 

associated with the 

source of the attack 
(which may or may not 
be the MAC address of 
the host device). 

NT 

Domain 

deviceNtDomain 

String 

1 

The Windows NT 

domain associated with 
the device hosting the 

sensor. 

Outbound 

Interface 

deviceOutboundlnterface 

String 

1 

The NIC card on the 

sensor device that 

transmitted the network 

traffic associated with 

the event. 
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Device Group Data Fields, continued 


Default 

Turbo Device Group Field 

Label Script Alias Data Type Level Description 

Payload 

ID 

devicePayloadld 

String 

2 

The internal identifier 

associated with a 
payload object 
associated with this 

event. 

Process 

ID 

deviceProcessid 

Integer 

2 

The ID of the sensor 
device process that 
reported the event. 

Process 

Name 

deviceProcessName 

String 

1 

The name of the sensor 
device process that 
reported the event. 

Product 

deviceProduct 

String 

1 

The product name of the 
sensor device. 

Receipt 

Time 

deviceReceiptTime 

DateTime 

2 

The time when the 

sensor device observed 

the event. 

Severity 

deviceSeverity 

String 

2 

The device-specific 
assessment of event 
severity. This 
assessment varies with 

the device involved. 

Time Zone 

deviceTimeZone 

String 

1 

The time zone reported 
by the device hosting 
the sensor device 
(shown as TLA). 

Time Zone 

Offset 

deviceTimeZoneOffset 

Integer 

1 

The time zone reported 
by the device hosting 
this sensor device 
(shown as an offset 
from UTC). 

Translated 

Address 

deviceT ranslatedAddress 

IP address 

1 

If network address 
translation is an issue, 
this is the translated IP 

address of the device 
hosting the sensor. 
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Device Group Data Fields, continued 


Default 

Turbo Device Group Field 

Label Script Alias Data Type Level Description 

Translated 

Zone 

deviceT ranslatedZone 

Zone 

1 

If network address 
translation is an issue, 
this is the network zone 

associated with the 

translated IP address of 
the device hosting the 

sensor. 

Translated 

Zone 

External 

ID 

deviceT ranslatedZoneExternal 1 D 

String 

1 

Returns the external ID 
for this reference. 

Translated 

Zone ID 

deviceT ranslatedZonelD 

String 

1 

Returns the ID for the 
resource in this resource 

reference. 

Translated 

Zone 

Name 

deviceT ranslatedZoneName 

String 

1 

Returns the name from 
the URI, which is 
always assumed to be 
the last field of the URI. 

Translated 

Zone 

Reference 

ID 

deviceT ranslatedZoneReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
stored and uniquely 
identified in the 

database. 

Translated 

Zone 

Resource 

deviceT ranslatedZoneResource 

Resource 

1 

Locates the resource 
described by this 
reference. 

Translated 

Zone URI 

deviceT ranslatedZoneURI 

String 

1 

Returns the URI for this 

reference. 

Vendor 

deviceVendor 

String 

1 

The vendor who 

manufactured or sold 

the sensor device. 

Version 

deviceVersion 

String 

1 

The software revision 
number of the sensor 

device. 
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Device Group Data Fields, continued 


Default 

Turbo Device Group Field 

Label Script Alias Data Type Level Description 

Zone 

deviceZone 

Zone 

1 

The network zone in 

which the sensor's 

device resides. 

Zone 

External 

ID 

deviceZoneExternallD 

String 

1 

Returns the external ID 

for this reference. 

Zone ID 

deviceZonelD 

String 

1 

Returns the ID for the 
resource in this resource 

reference. 

Zone 

Name 

deviceZoneName 

String 

1 

Returns the name from 
the URI, which is 
always assumed to be 
the last field of the URI. 

Zone 

Reference 

ID 

deviceZoneReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
persisted and given a 
unique database 
identifier. 

Zone 

Resource 

deviceZoneResource 

Resource 

1 

Locates the resource 
described by this 
reference. 

Zone URI 

deviceZoneURI 

String 

1 

See the common set of 
resource attributes. 


Device Custom Group 


Device Custom Group Data Fields 


Label 

Script Alias 

Data Type 

Default 

Turbo 

Level 

Device Custom 
Group Field 
Description 

Datel 

deviceCustomDatel 

DateTime 

2 

First 

customDate 
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Device Custom Group Data Fields, continued 


Default Device Custom 

Turbo Group Field 

Label Script Alias Data Type Level Description 


Datel Label 

deviceCustomDatel Label 

String 

2 

First 

customDate 

label 

Date2 

deviceCustomDate2 

DateTime 

2 

Second 

customDate 

Date2 Label 

deviceCustomDate2Label 

String 

2 

Second 

customDate 

label 

Numberl 

deviceCustomNumberl 

Long 

2 

First 

customNumber 

Numberl Label 

deviceCustomNumberl Label 

String 

2 

First 

customNumber 

label 

Number2 

deviceCustomNumber2 

Long 

2 

Second 

customNumber 

Number2 Label 

deviceCustomNumber2Label 

String 

2 

Second 

customNumber 

label 

Number3 

deviceCustomNumber3 

Long 

2 

Third 

customNumber 

Number3 Label 

deviceCustomNumber3Label 

String 

2 

Third 

customNumber 

label 

Stringl 

deviceCustomStringl 

String 

2 

First 

customstring 

Stringl Label 

deviceCustomStringl Label 

String 

2 

First 

customstring 

label 

String2 

deviceCustomString2 

String 

2 

Second 

customstring 

String2 Label 

deviceCustomString2Label 

String 

2 

Second 

customstring 

label 
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Device Custom Group Data Fields, continued 




Default 

Device Custom 



Turbo 

Group Field 

Label 

Script Alias 

Data Type Level 

Description 


String3 

deviceCustomString3 

String 

2 

Third 

customstring 

String3 Label 

deviceCustomString3Label 

String 

2 

Third 

customstring 

label 

String4 

deviceCustomString4 

String 

2 

Fourth 

customstring 

String4 Label 

deviceCustomString4Label 

String 

2 

Fourth 

customstring 

label 

String5 

deviceCustomString5 

String 

2 

Fifth 

customstring 

String5 Label 

deviceCustomString5Label 

String 

2 

Fifth 

customstring 

label 

String6 

deviceCustomString6 

String 

2 

Sixth 

customstring 

String6 Label 

deviceCustomString6Label 

String 

2 

Sixth 

customstring 

label 

Floating Pointl 

deviceCustomFloatingPointl 

String 

2 

First custom 
floating point 

Floating Pointl 
Label 

deviceCustomFloatingPointl Label 

Double 

2 

First custom 
floating point 
label 

Floating Point2 

deviceCustomFloatingPoint2 

String 

2 

Second custom 
floating point 

Floating Point2 
Label 

deviceCustomFloatingPoint2Label 

Double 

2 

Second custom 
floating point 
label 

Floating Point3 

deviceCustomFloatingPoint3 

String 

2 

Third custom 
floating point 
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Device Custom Group Data Fields, continued 


Label 

Script Alias 

Data Type 

Default 

Turbo 

Level 

Device Custom 
Group Field 
Description 

Floating Point3 

deviceCustomFloatingPoint3Label 

Double 

2 

Third custom 
floating point 
label 

Floating Point4 

deviceCustomFloatingPoint4 

String 

2 

Fourth custom 
floating point 

Floating Point4 
Label 

deviceCustomFloatingPoint4Label 

Double 

2 

Fourth custom 
floating point 
label 

Note: The following device custom fields support the IPv6 address. The IPv6 address is stored in 
the database in its full form, but ESM displays it in a simplified format. That is, the zeroes are 
dropped. 

IPV6 Address 1 

deviceCustomlPv6Address1 

IPv6 

address 

2 

First custom 

IPV6 address 

IPV6 Address 1 

Label 

deviceCustomlPv6Address1 Label 

String 

2 

First custom 

IPV6 address 

label 

IPV6 Address2 

deviceCustomlPv6Address2 

IPv6 

address 

2 

Second custom 

IPV6 address 

IPV6 Address2 

Label 

deviceCustomlPv6Address2Label 

String 

2 

Second custom 

IPV6 address 

label 

IPV6 Address3 

deviceCustomlPv6Address3 

IPv6 

address 

2 

Third custom 

IPV6 address 

IPV6 Address3 

Label 

deviceCustomlPv6Address3Label 

String 

2 

Third custom 

IPV6 address 

label 

IPV6 Address4 

deviceCustomlPv6Address4 

IPv6 

address 

2 

Fourth custom 

IPV6 address 

IPV6 Address4 

Label 

deviceCustomlPv6Address4Label 

String 

2 

Fourth custom 

IPV6 address 

label 
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Event Group 


Event Group Data Fields 


Label 

Defaul 

t 

Turbo Event Group Field 

Script Alias Data Type Level Description 

Additional 

Data 

additionalData 

AdditionalData 

3 

Reference to 

additional data. 

Aggregated 
Event Count 

(not applicable) 

(not applicable) 

N/A 

A derived field that 
reports the number of 
actual events 
collectively 
represented by the 
event in question. 

Application 

Protocol 

applicationProtocol 

String 

2 

A description of the 
application layer 
protocol. May be set, 
but defaults to Target 
Port lookup (FTP). 

Base Event 

IDs 

baseEventlds 

ID 

2 

The array of event 

IDs that contributed 
to generating this 
correlation event. 

This is populated only 
in correlated events. 

Bytes In 

bytes In 

Integer 

2 

Number of bytes 
transferred into the 
device during this 
transaction (this 
would typically be 
associated with 

entries in HTTP 
logs). 
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Event Group Data Fields, continued 


Defaul 

t 

Turbo Event Group Field 

Label Script Alias Data Type Level Description 

Bytes Out 

bytesOut 

Integer 

2 

Number of bytes 
transferred out of the 
device during this 
transaction (this 
would typically be 
associated with 

entries in HTTP 
logs). 

Concentrato 

r Connectors 

concentratorConnectors 

ConnectorDescriptor 

2 

The chain of 

concentrators that 

forwarded the event 
This is not yet 
exposed in the user 
interface. 

Concentrato 

r Devices 

concentratorDevices 

DeviceDescriptor 

2 

The list of devices 

that concentrate 
events, if applicable. 
This is not exposed in 
the user interface. 

Correlated 

Event Count 

(not applicable) 

(not applicable) 

N/A 

A derived field that 
reports the number of 
actual events that 

had to occur to cause 

a correlation event to 

occur. 

Crypto 

Signature 

cryptoSignature 

String 

2 

The signature of the 
event object 
(meaning in this alert, 
as opposed to the 

occurrence 

represented by the 
event). Not yet 
supported. 
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Event Group Data Fields, continued 


Defaul 

t 

Turbo Event Group Field 

Label Script Alias Data Type Level Description 

Customer 

customer 

Customer 

1 

The "customer" 

resource reference. 

This is used in MSSP 

environments to 
describe the client or 
divisional entity to 
whom the event 
applies. 

Customer 

External ID 

customerExternallD 

String 

1 

Returns the external 

ID for this reference. 

Customer ID 

customerlD 

String 

1 

Returns the ID for the 
resource in this 

resource reference. 

Customer 

Name 

customerName 

String 

1 

Returns the name 
from the URI, which 
is always assumed to 
be the last field of the 

URI. 

Customer 

Reference 

ID 

customerReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
stored and uniquely 
identified in the 

database. 

Customer 

Resource 

customerResource 

Resource 

1 

Locates the resource 
described by this 
reference. 

Customer 

URI 

customerURI 

String 

1 

Returns the URI for 

this reference. 

End Time 

endTime 

DateTime 

1 

Event ends (defaults 
to 

deviceReceiptTime). 
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Event Group Data Fields, continued 


Label 

Script Alias 

Data Type 

Defaul 

t 

Turbo 

Level 

Event Group Field 
Description 

Event ID 

eventld 

ID 

1 

Long 64-bit value 
identifying an event. 

A negative event ID 
is normal. 

The less significant 

48 bits are assigned 
to a newly received 
event by the 
receiving Manager; 
these bits uniquely 
identify the event in 
the database of that 
Manager. The more- 
significant 16 bits are 
used to store 
forwarding 

information. When an 

event ID with 1 in the 
topmost bit is 
represented as Java 
long value, the event 

ID value is 
interpreted as a 
negative number 
according to JVM 
rules. When 
displayed, such an 
event ID appears as 
a decimal number 
with a -(minus) sign 
in front of it. 

Event 

Outcome 

eventOutcome 

String 

2 

The outcome of the 
event as reported by 
the device (when 
applicable). For 
example, Windows 
reports an event as 
audit_success or 
audit_failure. 
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Event Group Data Fields, continued 


Defaul 

t 

Turbo Event Group Field 

Label Script Alias Data Type Level Description 

External ID 

external Id 

String 

2 

A reference to the ID 
used by an external 
device. This is useful 
for tracking devices 
that create events 

that contain 

references to these 

IDs (for example, 
ManHunt). 

Generator 

generator 

null 

1 

The "generator" 
resource reference 
(the resource that 
generated the event. 
This is the 

subcomponent in the 
connector that 
generates the event. 

Generator 

External ID 

generatorExternal 1 D 

String 

1 

Returns the external 

ID for this reference. 

Generator ID 

generatorlD 

String 

1 

Returns the ID for the 
resource in this 

resource reference. 

Generator 

Name 

generatorName 

String 

1 

Returns the name 
from the URI, which 
is always assumed to 
be the last field of the 

URI. 

Generator 

Reference 

ID 

generatorReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
stored and uniquely 
identified in the 

database. 

Generator 

Resource 

generatorResource 

Resource 

1 

Locates the resource 
described by this 
reference. 
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Event Group Data Fields, continued 


Defaul 

t 

Turbo Event Group Field 

Label Script Alias Data Type Level Description 

Generator 

URI 

generatorURI 

String 

1 

Returns the URI for 

this reference. 

Locality 

locality 

LocalityEnumeration 

2 

The locality 
associated with the 
event. Possible 

values: 

Local = 0: Events 

were sent to a 

Manager from 
SmartConnectors 

Forwarded = 1: 

Events were sent to a 
Manager from a 
Forwarding 

Connector. 

Remote = 2: Events 
were fetched from a 
remote Manager (to 
display a rule chain, 
for example) 

ESMPassThrough = 

3: Event is processed 
by ESM. 

DirectPassToLogge 
r = 4: Event is not 
processed by ESM 
and is passed to 

Logger or any other 
product. 

Message 

message 

String 

2 

A brief comment 

associated with this 

event. 
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Event Group Data Fields, continued 


Defaul 

t 

Turbo Event Group Field 

Label Script Alias Data Type Level Description 

Name 

name 

String 

1 

An arbitrary string 
that describes this 
type of event. Event 
details included in 
other parts of an 
event shouldn't be 

used in the event 

name. 

Originator 

originator 

OriginatorEnumeration 

1 

Holds the value of 
Source|Destination. 
This determines 

whether source and 
destination should be 

translated to attacker 
and target or they 
should be reversed. 

Persistence 

persistence 

PersistenceEnumeratio 

n 

2 

There are two states: 

Persisted or 

Transient. Events 
default to being 
Transient and are 

marked as Persisted 
as soon as they 
reach the Batch Alert 
Persisterorwhen 
they are loaded by 
the Alert Broker. 

Raw Event 

rawEvent 

String 

1 

The original log entry 
reported by the 
sensor (synthesized 
when the sensor 
does not log to a file 
or text stream). 

Reason 

reason 

String 

2 

The cause of the 
event when 
applicable. For 
example, Invalid 
Password 
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Event Group Data Fields, continued 


Defaul 

t 

Turbo Event Group Field 

Label Script Alias Data Type Level Description 

Rule Thread 

ID 

ruleThreadld 

String 

2 

A single rule can 
issue many events, 
based on several 
triggers, starting with 
On First Event and 
ending with On 
Threshold Timeout. 

All such events fora 
single Rule and a 
single Group By tuple 
is marked with the 
same identifier using 
this attribute. 

Session ID 

sessionld 

Long 

2 

T ags for events 
created by a 
correlation 

simulation, as part of 
a particular 
simulation. 

Start Time 

startTime 

DateTime 

1 

Event begins 
(defaults to 
deviceReceiptTime). 

Transport 

Protocol 

transportProtocol 

String 

1 

The format of the 

transmitted data 

associated with the 

event from a network 
transport perspective 
(for example, TCP, 
UDP). 

Type 

type 

TypeEnumeration 

1 

One of the event 
types: Base, 
Correlation, 
Aggregated, or 

Action. 
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Event Group Data Fields, continued 


Defaul 

t 

Turbo Event Group Field 

Label Script Alias Data Type Level Description 

Vulnerability 

vulnerability 

Vulnerability 

2 

The vulnerability 
resource that 
represents the 
vulnerability or 
exposure that may be 
exploited by this 
event and is present 
on the targeted 
device according to 
our network model. 

Vulnerability 
External ID 

vulnerabilityExternallD 

String 

2 

Returns the external 

ID for this reference. 

Vulnerability 

ID 

vulnerability 1 D 

String 

2 

Returns the ID for the 
resource in this 

resource reference. 

Vulnerability 

Name 

vulnerabilityName 

String 

2 

Returns the name 
from the URI, which 
is always assumed to 
be the last field of the 

URI. 

Vulnerability 

Reference 

ID 

vulnerabilityReferencel 

D 

ID 

2 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
stored and uniquely 
identified in the 

database. 

Vulnerability 

Resource 

vulnerabilityResource 

Resource 

2 

Locates the resource 
described by this 
reference. 

Vulnerability 

URI 

vulnerabilityURI 

String 

2 

Returns the URI for 

this reference. 
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Event Annotation Group 


Event Annotation Group Data Fields 


Defaul 

t 

Turbo 

Label Script Alias Data Type Level 

Event Annotation 
Group Field 
Description 

Audit Trail 

eventAnnotationAuditTrail 

String 

2 

The text log of 
annotation changes. 
Changes are 
recorded as sets of 
comma-separated- 
value entries. 

Comment 

eventAnnotationComment 

String 

2 

A text description of 
the event or 

associated 

information. 

End Time 

eventAnnotationEndTime 

DateTime 

2 

The timestamp for an 
event annotation. 

Event ID 

eventAnnotationEventld 

ID 

2 

The event ID for the 

annotation event. 
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Event Annotation Group Data Fields, continued 

Defaul 

t Event Annotation 

Turbo Group Field 


Label Script Alias Data Type Level Description 


Flags 

eventAnnotationFlags 

FlagsValu 

e 

Set 

2 

The state of the 
collaboration flags. 

Note: The following 
event fields: 
isReviewed, Closed, 
Hidden, Correlated, 
inCase, hasAction, 
and Forwarded, are 
derived from 
eventAnnotationFlag 
s. You cannot add 

those individual event 
fields into a field set, 
but you can add the 
eventAnnotationFlag 
s fields instead, then 
use a local or global 
variable to specify the 
desired field. See 
"Creating a Field Set" 
on page 547 and 
"Global Variables" on 
page 555. 

Manager 

Receipt 

Time 

eventAnnotationManagerReceiptTime 

DateTime 

2 

The time the Manager 
received the event 

annotation. 

Modificatio 

n Time 

eventAnnotationModificationTime 

DateTime 

2 

The time the 

annotation was 

modified. 

Modified 

By 

eventAnnotationModifiedBy 

User 

2 

The user ID of the 
person who last 
edited this 
annotation. 

Modified 

By External 
ID 

eventAnnotationModifiedByExternallD 

String 

2 

Returns the external 

ID for this reference. 


HP ESM (6.9.1c) 


Page 921 of 1106 


ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Event Annotation Group Data Fields, continued 


Defaul 

t Event Annotation 

Turbo Group Field 

Label Script Alias Data Type Level Description 

Modified 

By ID 

eventAnnotationModifiedBylD 

String 

2 

Returns the ID for the 
resource in this 

resource reference. 

Modified 

By Name 

eventAnnotationModifiedByName 

String 

2 

Returns the name 
from the URI (the last 
field of the URI). 

Modified 

By 

Reference 

ID 

eventAnnotationModifiedByReferencel 

D 

ID 

2 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference has been 
stored and uniquely 
identified in the 

database. 

Modified 

By 

Resource 

eventAnnotationModifiedByResource 

Resource 

2 

Locates the resource 
described by this 
reference. 

Modified 

By URI 

eventAnnotationModifiedByURI 

String 

2 

Returns the URI for 

this reference. 

Stage 

eventAnnotationStage 

Stage 

2 

The current 
disposition of the 
event. This enables 

annotation workflow. 

Stage 

Event ID 

eventAnnotationStageEventld 

ID 

2 

The reference to an 

internal identifier for 
another event. It is 
used by 'Mark 

Similar'. 

Stage 
External ID 

eventAnnotationStageExternallD 

String 

2 

Returns the external 

ID for this reference. 

Stage ID 

eventAnnotationStagelD 

String 

2 

Returns the ID for the 
resource in this 

resource reference. 
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Event Annotation Group Data Fields, continued 


Defaul 

t Event Annotation 

Turbo Group Field 

Label Script Alias Data Type Level Description 

Stage 

Name 

eventAnnotationStageName 

String 

2 

Returns the name 
from the URI, which 
is always assumed to 
be the last field of the 

URI. 

Stage 

Reference 

ID 

eventAnnotationStageReferencelD 

ID 

2 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference is stored 
and uniquely 
identified in the 

database. 

Stage 

Resource 

eventAnnotationStageResource 

Resource 

2 

Locates the resource 
described by this 
reference. 

Stage 

Update 

Time 

eventAnnotationStageUpdateTime 

ID 

2 

The time of the last 
stage change (in 

UTC). 

Stage URI 

eventAnnotationStageURI 

String 

2 

Returns the URI for 

this reference. 

Stage User 

eventAnnotationStageUser 

User 

2 

The user associated 

with the current 
stage. This 
implements 
assignment within 
workflow. 

Stage User 
External ID 

eventAnnotationStageUserExternallD 

String 

2 

Returns the external 

ID for this reference. 

Stage User 

ID 

eventAnnotationStageUserlD 

String 

2 

Returns the ID for the 
resource in this 

resource reference. 

Stage User 
Name 

eventAnnotationStageUserName 

String 

2 

Returns the name 
from the URI, which 
is always assumed to 
be the last field of the 

URI. 
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Event Annotation Group Data Fields, continued 


Defaul 

t Event Annotation 

Turbo Group Field 

Label Script Alias Data Type Level Description 

Stage User 
Reference 

ID 

eventAnnotationStageUserReferencel 

D 

ID 

2 

Returns the unique 
descriptor ID for this 
reference. This is 
populated only if this 
reference is stored 
and uniquely 
identified in the 

database. 

Stage User 
Resource 

eventAnnotationStageUserResource 

Resource 

2 

Locates the resource 
described by this 
reference. 

Stage User 
URI 

eventAnnotationStageUserURI 

String 

2 

Returns the URI for 

this reference. 

Version 

eventAnnotationVersion 

Integer 

2 

The editing version 
numberwhich 
increments with each 
change. This enables 
optimistic locking. 


File Group 

File Group Data Fields 


Default 

Data Turbo 

Label Script Alias Type Level File Group Field Description 


Create 

Time 

fileCreateTime 

DateTime 

2 

The time the file was created (in 

UTC). 

Hash 

fileHash 

String 

2 

The hash code associated with the 
file's contents (for example, MD5). 

ID 

fileld 

String 

2 

The external identifier associated 

with the file. 

Modification 

Time 

fileModificationTime 

DateTime 

2 

The time the file was last changed (in 
UTC). 

Name 

fileName 

String 

2 

The name of the file. 
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File Group Data Fields, continued 


Label 

Script Alias 

Data 

Type 

Default 

Turbo 

Level 

File Group Field Description 

Path 

filePath 

String 

2 

The directory path to the file in the file 
system. 

Permission 

filePermission 

String 

2 

The user permissions associated 
with the file (sensor specific). 

Size 

fileSize 

Long 

2 

The size of the file's contents 
(typically in bytes; sensor specific). 

Type 

fileType 

String 

2 

The type of file contents (sensor 
specific). 


Final Device Group 

This category falls into the device-to-Manager information chain. The chain begins at Device, which is 
the actual network hardware that senses an event. In cases where data is concentrated or otherwise 
pre-processed, it may be passed to a trusted reporting Final Device before reaching an Original 
Connector. Although the Original Connector is usually the only connector, if the data passes up 
through a Manager hierarchy the chain includes handling by Connector stages that are the Manager 
SmartConnectors that facilitate Manager-to-Manager connections. 


Final Device Group Data Fields 


Default 

Data Turbo Final Device Group Field 

Label Script Alias Type Level Description 

Address 

finalDeviceAddress 

IP 

address 

2 

The IP address of the trusted 
reporting device. 

Asset ID 

finalDeviceAssetld 

Resource 

2 

The asset that represents the 
trusted reporting device. 

Asset 

Name 

finalDeviceAssetName 

String 

2 

The name of the trusted reporting 
device. 

Asset 

Resource 

finalDeviceAssetResource 

Resource 

2 

The resource represented by the 
trusted reporting device. 

Descriptor 

ID 

finalDeviceDescriptorld 

ID 

2 

The descriptor ID of the trusted 
reporting device. 

DNS 

Domain 

finalDeviceDnsDomain 

String 

2 

The Domain Name Service 

domain name associated with 
the trusted reporting device. 
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Final Device Group Data Fields, continued 


Default 

Data Turbo Final Device Group Field 

Label Script Alias Type Level Description 

External 

ID 

finalDeviceExternalld 

String 

2 

The external ID for the trusted 
reporting device, if provided by 
the vendor. 

Facility 

finalDeviceFacility 

String 

2 

A facility or capability of a 
device. This accommodates 
concentrators (for example, like 
syslog, which has a concept of 
device logging for "parts" of a 
device). 

Host 

Name 

finalDeviceHostName 

String 

2 

The host name of the trusted 
reporting device. 

Inbound 

Interface 

finalDevicelnboundlnterface 

String 

2 

The NIC card on the sensor 

device that received the network 

traffic associated with the event. 

MAC 

address 

finalDeviceMacAddress 

MAC 

address 

2 

The MAC address associated 
with the trusted reporting device. 

NT 

Domain 

finalDeviceNtDomain 

String 

2 

The Windows NT domain 

associated with the trusted 
reporting device. 

Outbound 

Interface 

finalDeviceOutbound 

Interface 

String 

2 

The NIC card on the trusted 
reporting device. 

Process 

Name 

finalDeviceProcessName 

String 

2 

The process name of the trusted 
reporting device. 

Product 

finalDeviceProduct 

String 

2 

The product name of the trusted 
reporting device. 

Time Zone 

finalDeviceTimeZone 

String 

2 

The time zone reported by the 
trusted reporting device. 

Time Zone 

Offset 

finalDeviceTimeZoneOffset 

Integer 

2 

Returns the raw time-zone offset 
for the trusted reporting device. 
Note that connector and device 
times are not always reliably 
accurate. 

Translated 

Address 

finalDeviceT ranslated 

Address 

IP 

address 

2 

If network address translation is 
an issue, this is the translated IP 
address of the trusted reporting 
device. 
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Final Device Group Data Fields, continued 


Default 

Data Turbo Final Device Group Field 

Label Script Alias Type Level Description 

Translated 

Zone 

finalDeviceT ranslatedZone 

Zone 

2 

If network address translation is 
an issue, this is the network zone 
associated with the translated IP 
address of the trusted reporting 
device. 

Translated 

Zone 

External 

ID 

finalDeviceTranslatedZone 

External ID 

String 

2 

Returns the external ID for this 

reference. 

Translated 

Zone ID 

finalDeviceTranslatedZonelD 

String 

2 

Returns the ID for the resource in 

this resource reference. 

Translated 

Zone 

Name 

finalDeviceTranslatedZone 

Name 

String 

2 

Returns the name from the URI, 
which is always assumed to be 
the last field of the URI. 

Translated 

Zone 

Reference 

ID 

finalDeviceTranslatedZone 

ReferencelD 

ID 

2 

Returns the unique descriptor ID 
for this reference. This is 
populated only if this reference 
has been stored and uniquely 
identified in the database. 

Translated 

Zone 

Resource 

finalDeviceTranslatedZone 

Resource 

Resource 

2 

Locates the resource described 
by this reference. 

Translated 

Zone URI 

finalDeviceTranslatedZone 

URI 

String 

2 

Returns the URI for this 

reference. 

Vendor 

finalDeviceVendor 

String 

2 

Device vendor. 

Version 

finalDeviceVersion 

String 

2 

The software revision number of 
the trusted reporting device. 

Zone 

finalDeviceZone 

Zone 

2 

The network zone in which the 
trusted reporting device resides. 

Zone 

External 

ID 

finalDeviceZoneExternallD 

String 

2 

Returns the external ID for this 

reference. 

Zone ID 

finalDeviceZonelD 

String 

2 

Returns the ID for the resource in 

this resource reference. 
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Final Device Group Data Fields, continued 


Default 

Data Turbo Final Device Group Field 

Label Script Alias Type Level Description 

Zone 

Name 

finalDeviceZoneName 

String 

2 

Returns the name from the URI, 
which is always assumed to be 
the last field of the URI. 

Zone 

Reference 

ID 

finalDeviceZoneReferencelD 

ID 

2 

Returns the unique descriptor ID 
for this reference. This is 
populated only if this reference 
has been stored and uniquely 
identified in the database. 

Zone 

Resource 

finalDeviceZoneResource 

Resource 

2 

Locates the resource described 
by this reference. 

Zone URI 

finalDeviceZoneURI 

String 

2 

Returns the URI for this 

reference. 


Flex Group 


Flex Group Data Fields 


Data Default Turbo Flex Group Field 

Label Script Alias Type Level Description 

Datel 

flex Datel 

DateTime 

2 

First flex Date. 

Datel Label 

flexDatel Label 

String 

2 

Label of first flex Date. 

Numberl 

flexNumberl 

Long 

2 

First flex Number. 

Numberl 

Label 

flexNumberl Label 

String 

2 

Label of the first Flex 

Number. 

Number2 

flexNumber2 

Long 

2 

Second flex Number. 

Number2 

Label 

flexNumber2Label 

String 

2 

Label of the second Flex 

Number. 

Stringl 

flexStringl 

String 

2 

First flex String 

String 1 Label 

flexString 1 Label 

String 

2 

Label of the first Flex String. 

String2 

flexString2 

String 

2 

Second flex String. 

String2 Label 

flexString2Label 

String 

2 

Label of the second Flex 

String. 


HP ESM (6.9.1c) 


Page 928 of 1106 


ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Manager Group 


Label 

Script Alias 

Data 

Type 

Default 

Turbo Level 

Manager Group Field Description 

Receipt 

Time 

managerReceiptTime 

DateTime 

1 

The time at which the Manager first 
received the event. 


Old File Group 


Old File Group Data Fields 


Default 

Data Turbo Old File Group Field 

Label Script Alias Type Level Description 

Create 

Time 

oldFileCreateTime 

DateTime 

2 

The time the file was created (in 
UTC). 

Hash 

oldFileHash 

String 

2 

The hashcode associated with the 
file's contents (for example, MD5). 

ID 

oldFileld 

String 

2 

The external identifier associated 

with the file. 

Modification 

Time 

oldFileModificationTime 

DateTime 

2 

The time the file was last changed 
(in UTC). 

Name 

oldFileName 

String 

2 

The file's name. 

Path 

oldFilePath 

String 

2 

The directory path to the file in the 
file system. 

Permission 

oldFilePermission 

String 

2 

The user permissions associated 
with the file (sensor specific). 

Size 

oldFileSize 

Long 

2 

The size of the file's contents 
(typically in bytes; sensor 
specific). 

Type 

oldFileType 

String 

2 

The type of the file's contents 
(sensor specific). 


Original Connector Group 

This category falls into the device-to-Manager information chain. The chain begins at Device, which is 
the actual network hardware that senses an event. Where data is concentrated or otherwise pre- 
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processed, it may be passed to a trusted reporting Final Device before reaching an Original 
Connector. Although the Original Connector is usually the only connector, if the data passes up 
through a Manager hierarchy, the chain includes handling by Connector stages that are the Forwarding 
Connectors that facilitate Manager-to-Manager connections. 


Original Connector Group Data Fields 


Original 

Default Connector 

Data Turbo Group Field 

Label Script Alias Type Level Description 

Address 

originalConnectorAddress 

IP 

address 

2 

The IP address 

of the device 
hosting the first 
reporting 
SmartConnector. 

Asset ID 

originalConnectorAssetID 

Resource 

2 

The asset that 
represents the 
device hosting 
the first reporting 
SmartConnector. 

Asset 

Name 

originalConnectorAsset Name 

String 

2 

The first 
reporting 
connector's 

asset name. 

Asset 

Resource 

originalConnectorAsset Resource 

Resource 

2 

The first 
reporting 
connector's 

resource. 

Descriptor 

ID 

originalConnectorDescriptorld 

ID 

2 

The first 
reporting 
connector's 
descriptor. 

DNS 

Domain 

originalConnectorDns Domain 

String 

2 

The Domain 

Name Service 

domain name 

associated with 

the device 
hosting the first 
reporting 
SmartConnector. 

Host 

Name 

originalConnectorHostName 

String 

2 

The name of the 
device hosting 
the first reporting 
SmartConnector. 
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Original Connector Group Data Fields, continued 


Original 

Default Connector 

Data Turbo Group Field 

Label Script Alias Type Level Description 

ID 

originalConnectorld 

String 

2 

The ID of the 

connector. The 

format is 

connectorld(l) 

|connectorld(2) 

1- 

MAC 

address 

originalconnectorMac Address 

MAC 

address 

2 

The MAC 

address 

associated with 
the first reporting 
SmartConnector 
(which may or 
may not be the 
MAC address of 
the host device.) 

Name 

originalconnectorName 

String 

2 

User-supplied 
name of the first 
reporting 
connector. 

NT 

Domain 

originalconnectorNtDomain 

String 

2 

The Windows 

NT domain 

associated with 

the device 
hosting the first 
reporting 
SmartConnector. 

Time Zone 

originalconnectorTimeZone 

String 

2 

The time zone 
reported by the 
device hosting 
the first reporting 
SmartConnector. 
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Original Connector Group Data Fields, continued 


Original 

Default Connector 

Data Turbo Group Field 

Label Script Alias Type Level Description 

Time Zone 

Offset 

originalconnectorTimeZoneOffset 

Integer 

2 

Returns the raw 

time-zone offset 

for the first 
reporting 
connector's time 

zone. Note that 

device and 

connector times 
may not be 
reliably accurate. 

Translated 

Address 

originalconnectorTranslatedAddress 

IP 

address 

2 

If network 

address 

translation is an 
issue, this is the 
translated IP 

address of the 
device hosting 
the first reporting 
SmartConnector. 

Translated 

Zone 

originalconnectorTranslatedZone 

Zone 

2 

If network 

address 

translation is an 
issue, this is the 
Network Zone 

associated with 

the translated IP 

address of the 
device hosting 
the first reporting 
SmartConnector. 

Translated 

Zone 

External 

ID 

origi nalconnectorT ranslatedZoneExternal 1 D 

String 

2 

Returns the 
external ID for 

this reference. 

Translated 

Zone ID 

originalconnectorTranslatedZonelD 

String 

2 

Returns the ID 
for the resource 

in this resource 

reference. 
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Original Connector Group Data Fields, continued 


Original 

Default Connector 

Data Turbo Group Field 

Label Script Alias Type Level Description 

Translated 

Zone 

Name 

originalconnectorTranslatedZoneName 

String 

2 

Returns the 

name from the 
URI, which is 
always assumed 
to be the last 

field of the URI. 

Translated 

Zone 

Reference 

ID 

originalconnectorTranslatedZoneReferencel 

D 

ID 

2 

Returns the 
unique descriptor 
ID for this 

reference. This is 
populated only if 
this reference 

has been stored 
and uniquely 
identified in the 

database. 

Translated 

Zone 

Resource 

originalconnectorTranslatedZoneResource 

Resource 

2 

Locates the 

resource 
described by this 
reference. 

Translated 

Zone URI 

origi nalconnectorT ranslatedZoneU R 1 

String 

2 

Returns the URI 

for this 

reference. 

Type 

originalconnectorType 

String 

2 

A string that 
describes the 
type of the first 
reporting 
connector. This 

is not the same 

as the device 
type. 

Version 

origi nalconnectorVersion 

String 

2 

The software 

revision number 

of the 

SmartConnector 
that first reported 
the event. 
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Original Connector Group Data Fields, continued 


Original 

Default Connector 

Data Turbo Group Field 

Label Script Alias Type Level Description 

Zone 

originalconnectorZone 

Zone 

2 

The network 

zone in which the 
device hosting 
the first reporting 
SmartConnector 

resides. 

Zone 

External 

ID 

originalconnectorZone External ID 

String 

2 

Returns the 

external ID for 

this reference. 

Zone ID 

originalconnectorZonelD 

String 

2 

Returns the ID 

for the resource 

in this resource 

reference. 

Zone 

Name 

origi nalconnectorZoneN ame 

String 

2 

Returns the 

name from the 
URI, which is 
always assumed 
to be the last 

field of the URI. 

Zone 

Reference 

ID 

originalconnectorZone ReferencelD 

ID 

2 

Returns the 
unique descriptor 
ID for this 

reference. This is 
populated only if 
this reference 

has been stored 
and is uniquely 
identified in the 

database. 

Zone 

Resource 

originalconnectorZone Resource 

Resource 

2 

Locates the 

resource 

described by this 
reference. 

Zone URI 

originalconnectorZoneURI 

String 

2 

Returns the URI 

for this 

reference. 
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Request Group 


Request Group Data Fields 


Default 

Data Turbo 

Label Script Alias Type Level Request Group Field Description 

Client 

Application 

requestClientApplication 

String 

2 

The client application (such as a web 
browser) used to issue the request. 

Client 

Application 

requestClientApplication 

String 

2 

A description of the client application 
used to initiate this request, for 
example, the HTTP User connector. 

Context 

requestContext 

String 

2 

A description of the content from which 
the request originated, for example, the 
HTTP Referrer. 

Cookies 

requestCookies 

String 

2 

Cookie data offered by the client 
application as part of the request. 

Method 

requestMethod 

String 

2 

The style of the request, that is, for an 
HTTP request this could be PUT or 

GET. 

Protocol 

requestProtocol 

String 

2 

The communication protocol used when 
issuing the request. 

URL 

requestUrl 

String 

2 

A universal resource locator associated 

with the event. 

URL 

Authority 

requestUrl Authority 

String 

2 

The URL component used for 
authentication and authorization. 

URL File 

Name 

requestUrlFileName 

String 

2 

The URL component that refers to the 
file containing the resource. 

URL Host 

requestUrlHost 

String 

2 

The URL component that specifies the 
host device where the resource resides. 

URL Port 

requestUrl Port 

Integer 

2 

The URL component that specifies the 
port to contact on the host device where 
the resource resides. 

URL 

Query 

requestUrIQuery 

String 

2 

The URL component that specifies the 
query to use to request the resource. 
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Source Group 


Source Group Data Fields 


Default 

Turbo Source Group Field 

Label Script Alias Data Type Level Description 

Address 

sourceAddress 

IP address 

1 

The IP address of the source 

device. 

Asset ID 

sourceAssetld 

Resource 

2 

The asset that represents the 
device that was the network 

traffic's source. 

Asset 

Name 

sourceAssetName 

String 

2 

The name of the device. 

Asset 

Resource 

sourceAssetResource 

Resource 

2 

See the common set of 

resource attributes. 

DNS 

Domain 

sourceDnsDomain 

String 

2 

The Domain Name Service 

domain name associated 

with the user at the source 

device. 

FQDN 

sourceFqdn 

String 

2 

The fully qualified domain 
name associated with the 

source device. This has no 

value if either the host name 
or DNS domain are without a 
value. 

Geo 

sourceGeo 

GeoDescriptor 

1 

The geographical 
information. 

Geo 

Country 

Code 

sourceGeoCountryCode 

String 

1 

The identifier for the national- 
political state in which a 
device resides. 

Geo 
Country 
Flag URL 

sourceGeoCountryFlagUrl 

String 

1 

The URL of an image of the 
flag of the national-political 
state in which the device 

resides. 

Geo 

Country 

Name 

sourceGeoCountryName 

String 

1 

The name of the national- 
political state where a device 
resides. 
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Source Group Data Fields, continued 


Default 

Turbo Source Group Field 

Label Script Alias Data Type Level Description 

Geo 

Descriptor 

ID 

sourceGeoDescriptorld 

ID 

1 

The internal ID of the 
geographical reference. 

Geo 

Latitude 

sourceGeoLatitude 

Double 

1 

The latitude of a device. 

Geo 

Location 

Info 

sourceGeoLocationlnfo 

String 

1 

Other, free-form text 
information about the 

device's location. 

Geo 

Longitude 

sourceGeoLongitude 

Double 

1 

The Longitude of a device. 

Geo 

Postal 

Code 

sourceGeoPostalCode 

String 

1 

The postal code of the 
device's location, as 
assigned by the national- 
political state where it 
resides. 

Geo 

Region 

Code 

sourceGeoRegionCode 

String 

1 

The identifier of the sub- 
region of the national-political 
state where a device resides. 
The style of the identifier 
varies with the host country. 

Host 

Name 

sourceHostName 

String 

2 

The name of the source 

device. 

MAC 

Address 

sourceMacAddress 

MAC address 

2 

The MAC address 

associated with the network 
traffic's source (which may 
or may not be the MAC 
address of the host device). 

NT 

Domain 

sourceNtDomain 

String 

2 

The Windows NT domain 

associated with the source 

device. 

Port 

sourcePort 

Integer 

1 

The network port associated 
with the network traffic's 

source. 

Process 

ID 

sourceProcessId 

Integer 

2 

The ID of the process 
associated with the source of 

the network traffic. 
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Source Group Data Fields, continued 


Default 

Turbo Source Group Field 

Label Script Alias Data Type Level Description 

Process 

Name 

sourceProcessName 

String 

2 

The name of the process 
associated with the source of 

the network traffic. 

Service 

Name 

sourceServiceName 

String 

2 

The name of the service 

associated with the network 

traffic's source. 

Translated 

Address 

sourceT ranslatedAddress 

IP address 

1 

If network address 
translation is an issue, this is 
the translated IP address of 

the device that was the 

network traffic's source. 

Translated 

Port 

sourceT ranslatedPort 

Integer 

1 

If network address 
translation is an issue, this is 
the translated source port 
associated with the attack. 

Translated 

Zone 

sourceT ranslatedZone 

Zone 

1 

If network address 
translation is an issue, this is 
the network zone associated 

with the translated IP 

address of the device that 

was the network traffic's 

source. 

Translated 

Zone 

External 

ID 

sourceT ranslatedZone 

External ID 

String 

1 

Returns the external ID for 

this reference. 

Translated 

Zone ID 

sourceT ranslatedZonelD 

String 

1 

Returns the ID for the 
resource in this resource 

reference. 

Translated 

Zone 

Name 

sourceT ranslatedZoneName 

String 

1 

Returns the name from the 
URI, which is always 
assumed to be the last field 

of the URI. 
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Source Group Data Fields, continued 


Default 

Turbo Source Group Field 

Label Script Alias Data Type Level Description 

Translated 

Zone 

Reference 

ID 

sourceT ranslatedZone 

ReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is populated 
only if this reference has 
been stored and uniquely 
identified in the database. 

Translated 

Zone 

Resource 

sourceT ranslatedZone 

Resource 

Resource 

1 

Locates the resource 
described by this reference. 

Translated 

Zone URI 

sourceT ranslatedZoneURI 

String 

1 

Returns the URI for this 

reference. 

User ID 

sourceUserld 

String 

2 

The OS- or application-based 
identifier associated with the 
user at the network traffic's 

source. 

User 

Name 

sourceUserName 

String 

2 

The OS- or application-based 
name associated with the 

user at the network traffic's 

source. 

User 

Privileges 

sourceUserPrivileges 

String 

2 

The privileges afforded the 
user at the network traffic's 

source. 

Zone 

sourceZone 

Zone 

1 

The network zone where the 

source device resides. 

Zone 

External 

ID 

sourceZoneExternallD 

String 

1 

Returns the external ID for 

this reference. 

Zone ID 

sourceZonelD 

String 

1 

Returns the ID for the 
resource in this resource 

reference. 

Zone 

Name 

sourceZoneName 

String 

1 

Returns the name from the 
URI, which is always 
assumed to be the last field 

of the URI. 
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Source Group Data Fields, continued 


Default 

Turbo Source Group Field 

Label Script Alias Data Type Level Description 

Zone 

Reference 

ID 

sourceZoneReferencelD 

ID 

1 

Returns the unique 
descriptor ID for this 
reference. This is populated 
only if this reference has 
been stored and uniquely 
identified in the database. 

Zone 

Resource 

sourceZoneResource 

Resource 

1 

Locates the resource 
described by this reference. 

Zone URI 

sourceZoneURI 

String 

1 

Returns the URI for this 

reference. 


Target Group 


Target Group Data Fields 


Default 

Turbo Target Group Field 

Label Script Alias Data Type Level Description 

Address 

targetAddress 

IP address 

1 

The IP address of the device 
hosting the attacker. 

Asset ID 

targetAssetld 

Resource 

2 

The asset that represents the 
attacked device's host. 

Asset 

Name 

targetAssetName 

String 

2 

The name of the device. 

Asset 

Resource 

targetAssetResource 

Resource 

2 

See the common set of 

resource attributes. 

DNS 

Domain 

targetDnsDomain 

String 

2 

The Domain Name Service 

domain name associated with 

the attacked device. 

FQDN 

targetFqdn 

String 

2 

The fully qualified domain 
name associated with the 

attacked device. 

Geo 

targetGeo 

GeoDescriptor 

1 

The geographical information 
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Target Group Data Fields, continued 


Default 

Turbo Target Group Field 

Label Script Alias Data Type Level Description 

Geo 

Country 

Code 

targetGeoCountryCode 

String 

1 

The identifier for the national- 
political state in which a 
device resides. 

Geo 
Country 
Flag URL 

targetGeoCountryFlagUr! 

String 

1 

The URL of an image of the 
flag of the national-political 
state in which the device 

resides. 

Geo 

Country 

Name 

targetGeoCountryName 

String 

1 

The name of the national- 
political state where a device 
resides. 

Geo 

Descriptor 

ID 

targetGeoDescriptorld 

ID 

1 

The internal ID of the 
geographical reference. 

Geo 

Latitude 

targetGeoLatitude 

Double 

1 

The latitude of a device. 

Geo 

Location 

Info 

targetGeoLocationlnfo 

String 

1 

Other, free-form text 
information about the device's 

location. 

Geo 

Longitude 

targetGeoLongitude 

Double 

1 

The Longitude of a device. 

Geo 

Postal 

Code 

targetGeoPostalCode 

String 

1 

The postal code of the 
device's location, as assigned 
by the national-political state 
where it resides. 

Geo 

Region 

Code 

targetGeoRegionCode 

String 

1 

The identifier of the sub-region 
of the national-political state 
where a device resides. The 
style of the identifier varies 
with the host country. 

Host 

Name 

targetHostName 

String 

2 

The name of the attacked 

device 

MAC 

Address 

targetMacAddress 

MAC address 

2 

The MAC address associated 
with the target of the attack 
(which may or may not be the 
MAC address of the host 
device). 
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Target Group Data Fields, continued 


Default 

Turbo Target Group Field 

Label Script Alias Data Type Level Description 

NT 

Domain 

targetNtDomain 

String 

2 

The Windows NT domain 

associated with the attacked 

device. 

Port 

targetPort 

Integer 

1 

The network port associated 
with the target of the attack. 

Process 

ID 

targetProcessId 

Integer 

2 

The ID of the process 
associated with the attack's 
target. 

Process 

Name 

targetProcessName 

String 

2 

The name of the process 
associated with the attack's 
target. 

Service 

Name 

targetServiceName 

String 

2 

The name of service 

associated with the attack's 
target. 

Translated 

Address 

targetTranslatedAddress 

IP address 

1 

If network address translation 
is an issue, this is the 
translated IP address of the 

attacked device. 

Translated 

Port 

targetTranslatedPort 

Integer 

1 

If network address translation 
is an issue, this is the 
translated port associated 
with the attack. 

Translated 

Zone 

targetTranslatedZone 

Zone 

1 

If network address translation 
is an issue, this is the network 
zone associated with the 

translated IP address of the 
targeted device. 

Translated 

Zone 

External 

ID 

targetT ranslatedZone 
External ID 

String 

1 

Returns the external ID for 

this reference. 

Translated 

Zone ID 

targetT rans 1 atedZonel D 

String 

1 

Returns the ID for the 
resource in this resource 

reference. 
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Target Group Data Fields, continued 


Default 

Turbo Target Group Field 

Label Script Alias Data Type Level Description 

Translated 

Zone 

Name 

targetTranslatedZoneName 

String 

1 

Returns the name from the 

URI, which is always 
assumed to be the last field of 

the URI. 

Translated 

Zone 

Reference 

ID 

targetT ranslatedZone 
ReferencelD 

ID 

1 

Returns the unique descriptor 

ID for this reference. This is 
populated only if this 
reference has been stored and 
uniquely identified in the 
database. 

Translated 

Zone 

Resource 

targetT ranslatedZone 
Resource 

Resource 

1 

Locates the resource 
described by this reference. 

Translated 

Zone URI 

targetTranslatedZoneURI 

String 

1 

Returns the URI for this 

reference. 

User ID 

targetUserld 

String 

2 

The OS- or application-based 
identifier associated with the 
attacker, at the target of the 
attack. 

User 

Name 

targetUserName 

String 

2 

The OS- or application-based 
name associated with the 
attacker, at the target of the 
attack. 

User 

Privileges 

targetUserPrivileges 

String 

2 

The privileges afforded the 
attacker, at the target of the 
attack. 

Zone 

targetZone 

Zone 

1 

The network zone in which the 

attacked device resides. 

Zone 

External 

ID 

targetZoneExternal 1 D 

String 

1 

Returns the external ID for 

this reference. 

Zone ID 

targetZonelD 

String 

1 

Returns the ID for the 
resource in this resource 

reference. 
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Target Group Data Fields, continued 


Default 

Turbo Target Group Field 

Label Script Alias Data Type Level Description 

Zone 

Name 

targetZoneName 

String 

1 

Returns the name from the 

URI, which is always 
assumed to be the last field of 

the URI. 

Zone 

Reference 

ID 

targetZoneReferencel D 

ID 

1 

Returns the unique descriptor 

ID for this reference. This is 
populated only if this 
reference has been stored and 
uniquely identified in the 
database. 

Zone 

Resource 

targetZoneResource 

Resource 

1 

Locates the resource 
described by this reference. 

Zone URI 

targetZoneURI 

String 

1 

Returns the URI for this 

reference. 


Threat Group 


Threat Group Data Fields 


Default 

Data Turbo 

Label Script Alias Type Level Threat Group Field Description 

Asset 

Criticality 

assetCriticality 

Integer 

2 

The relative measure of the importance of the 
targeted device, on a scale of 0 to 1 0. 

Model 

Confidence 

modelConfidence 

Integer 

2 

The relative measure of ArcSight's confidence 
in its model of the attacked device, on a scale 
of Oto 10. 

Priority 

priority 

Integer 

1 

The relative measure of importance of 
investigating this event on a scale of 0 to 10. 

This field incorporates Model Confidence. 

Relevance 

relevance 

Integer 

2 

The relative measure of likelihood that this 
event succeeded, on a scale of 0 to 1 0. 
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Threat Group Data Fields, continued 


Label 

Script Alias 

Data 

Type 

Default 

Turbo 

Level 

Threat Group Field Description 

Severity 

severity 

Integer 

2 

The relative measure of possible damage to 
network security represented by the event on a 
scale of 0 to 10. It may be noted that event 
severity is supplied by the device; connector 
severity is supplied by the SmartConnector; 
and attack severity is supplied by the threat 
evaluation process. 


Resource Attributes 


Resource Attributes Data Fields 


Attribute 

Suffix 

Description 

External ID 

The user-defined identifier associated with a configuration resource. 

ID 

The internal identifier associated with a resource (a UUID). 

Reference ID 

The internal identifier associated with the resource reference (an integer). 

Type Name 

The type of configuration resource. 

URI 

The URI associated with the resource (for example, /All 
Users/Administrators/Mlow). 


Geographical Attributes 


Geographical Attributes Data Fields 


Attribute 

Suffix 

Description 

Descriptor 

ID 

The internal ID of the geographical reference. 

Country 

Code 

The identifier for the national-political state in which a device resides. 

Country 

The URL of an image of the flag of the national-political state in which the device 

Flag URL 

resides. 

Country 

Name 

The name of the national-political state where a device resides. 
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Geographical Attributes Data Fields, continued 


Attribute 

Suffix 

Description 

Latitude 

The latitude of a device. 

Location 

Info 

Other, free-form text information about the device's location. 

Longitude 

The longitude of a device. 

Postal 

Code 

The postal code of the device's location, as assigned by the national-political state 
where it resides. 

Region 

Code 

The identifier of the sub-region of the national-political state where a device resides. 

The style of the identifier varies with the host country. 


Data Monitors 

Data monitors are views within "Dashboards that can be configured to report on events, "Filters", 
"Rules", and other areas that are of particular interest to you. Data monitors can be arranged on 
dashboards in numerous viewing layouts. Data monitors collect summary information on top events, 
most recent event activity, partial rule occurrences, hourly event counts, or event averages. 

Data Monitors on Dashboards: 

Once data monitors are created, they can be used to display information on dashboards. You can add 
one or more data monitors to the same dashboard to create a collection of different "instrument panel" 
monitors appearing in the Dashboard display in the Viewer panel. Both the data monitors themselves 
and dashboards on which they are published can be shared among multiple Console users. 

Permissions on Data Monitors: 

Data monitors display only those events for which you have permission. In addition, if you do not have 
access to a data monitor, the data monitor does not function. Administrators can limit visibility of or 
control access to dashboards and data monitors by changing access control lists (ACLs) as needed. 
For more about this, see "Managing Permissions" on page 189 and "Controlling Who Has Permissions 
to Deploy Data Monitors" on page 200. 

Data Monitor Types: 

The ArcSight Console offers several predefined types to choose from when creating a new data 
monitor. The following topics describe the parameter entries and other options you can specify for each 
supported data monitor type. 

You specify the Data Monitor type when you create a data monitor. For information on how to 
create a data monitor, see "Creating a Data Monitor" on page 246. (Also, the data monitors provided 
with ArcSight are examples of these various types of data monitors.) 
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Asset Category Count Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246”. 

This data monitor enumerates the number of real-time hits (events) that occur per asset category, by 
priority, within a time interval. 

Asset Category Count Data Monitor 


Parameter 

Description 

Data 

Monitor 

Name 

A unique name for the monitor. 

Enable 

Data 

Monitor 

T urn on the monitor and collect data from the Manager. If cleared, the monitor does not 
display data. 

Depending on the permissions associated with the user group to which you belong, 
you may or may not have an option to Enable ( deploy ) or disable ( un-deploy ) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on 
page 257. 

Restrict by 
Filter 

Choose a filter resource with which to restrict the events that can affect the asset 
categories. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Select Field 

Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here determines the columns (fields) shown in the drill-down 
channel. See also "Inspecting Events in Dashboards" on page 239 for information on 
data monitor drill-downs. 

Root Asset 

Category 

Group 

Choose an asset-category resource group to monitor. 

Levels 

Set the number of resource hierarchy levels below the chosen Root Asset Group to 
monitor. 

A value of 1 monitors only the next level down. 

A value of -1 monitors all levels. 

Aggregation 

Turn on (True) or off (False) the ability to aggregate all hits to the asset group URI, 
including those above the leaf level, to reveal disparities or unanticipated counts that 
may merit drilling down. 
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Asset Category Count Data Monitor, continued 


Parameter Description 

Show Root 

URI 

Choose whether to display (True) or not display (False) the complete URI for affected 
asset categories. 

Show Root 

Series 

Specify whether to include (True) or not include (False) the root series. 

This is used to select how many levels down in the hierarchy to include in the data 
monitor display. Using a combination of this, Show Root URI, Aggregation, and 

Levels, you can slice out single levels in the display. 


Event Correlation Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246. 

This data monitor provides flow-volume level correlation between two different event streams. The data 
monitor specifies two filters to identify two sub-streams of events within the overall stream of events 
coming into Manager. It then reports how closely the volume of events in the two streams correlate, 
that is, when the volume of events in Stream 1 decreases, does the volume in Stream 2 increase, 
decrease, or just change with no relation to the changes in Stream 1? For example, if a network 
intrusion detection system (N IDS) were deployed in front of several web servers in a cluster, one might 
expect that the flow of reported events from each NIDS would be roughly equivalent. If the event flow 
from one of the NIDS suddenly rose or fell out of sync with the other NIDS, then it might indicate a 
possible problem. 


Event Correlation Data Monitor 


Parameter Description 

Data 

Monitor 

Name 

A unique name for the monitor. 

Enable 

Data 

Monitor 

Enable the data monitor and collect data from the Manager. If cleared, the associated 
viewer configuration does not display any data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Restrict by 
Filter 

Choose a filter resource with which to restrict the events that can affect the asset 
categories. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 
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Event Correlation Data Monitor, continued 


Parameter 

Description 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here determines the columns (fields) shown in the drill-down 
channel. See also "Inspecting Events in Dashboards" on page 239 for information on 
data monitor drill-downs. 

Filter 1 

Select a filter for the first event flow. 

Filter 2 

Select a filter for the second event flow. 

Restrict by 
Filter 

Choose to restrict the data monitor to a particular filter. When restricting by filter, you 
focus on a filter that is of particular interest to you and also reduce the number of events 
the data monitor retrieves. 

Sampling 

Interval 

Enter the interval (in seconds) for performing correlation calculations. 

Number of 
Samples 

Number of samples to keep in memory to perform calculations. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Alarm 

Condition 

Condition on which to fire an alarm, for example: c > 90 && x > 0 && y > 0. In this 
example, c represents the correlation count from -100 to + 100, x and y represent the 
actual count of events. 

See "Data Monitor Expressions" on page 986 for more information about the operators 
and functions supported in this and similar data monitor parameters that accept 
conditional expressions. 

Maximum 

Alarm 

Frequency 

Minimum time (in seconds) to wait before sending alarms for the same group. 


The formula for calculating the correlation values displayed in data monitors is: 

cor = ^£(((rj-r) • (xj -y))/(ax ■ cry)) 

where x is the mean of x j and sx is the variance of x. 

The data monitor sampler takes all samples in memory and continually calculates correlation values 
using this formula. As an example, you could define an event correlation data monitor that displays a 
correlation between the number of times a network is being reconnoitered, and if that is related to the 
number of attacks that the network is receiving. 
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Event Graph Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246. 

This data monitor draws real-time diagrams of selected event activity. In effect, it does automatically 
and in real-time what you can do manually, as described in "Graphing Attacks" on page 270. 

Event Graph Data Monitor 


Parameter 

Description 

Data Monitor 

Name 

A unique name for the monitor. 

Enable Data 

Monitor 

Select this check box to "switch on" the monitor and collect data from the Manager. 

If cleared, the monitor is "off" and displays no data. 

Depending on the permissions associated with the user group to which you belong, 
you may or may not have an option to Enable ( deploy ) or disable (un-deploy) the 
data monitor. For more information, see "Enabling or Disabling a Data Monitor" on 
page 257. 

Restrict by 
Filter 

Choose a filter resource with which to restrict the events that the graphic includes. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Select Field 

Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or 
table row that represents an event to bring up a drill-down channel for that event. 

The field set specified here determines the columns (fields) shown in the drill-down 
channel. See also "Inspecting Events in Dashboards" on page 239 for information 
on data monitor drill-downs. 

Show Event 

Nodes 

Choose a basis for visually expanding or aggregating event nodes, relative to their 
source and target node instances. See "Configuring Event Graphs" on page 87 for 
the option details. 

Max Event 

Count 

Set the greatest number of most-recent events the graphic can show. 

Show 

Source/Target 
Nodes as 

When one source-event target chains to another, you can choose to graph a 
source/target IP address as a single (simple) node, or to graph both the source and 
target instances of such an IP address (distinct). 
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Event Graph Data Monitor, continued 
Parameter Description 


Source Node 

Identifier 

Choose an event attribute to use as the identifier for source nodes. The default 
attribute is Source Address. Note that while all attributes are available, not all are 
appropriate choices for this purpose. 

Event Node 

Identifier 

The fields that are available to use to uniquely identify the event type in a 
transaction. 

Target Node 
Identifier 

Choose an event attribute to use as the identifier for target nodes. The default 
attribute is Target Address. Note that while all attributes are available, not all are 
appropriate choices for this purpose. 


Event Reconciliation Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see “"Creating a Data Monitor" on page 246”. 

The Event Reconciliation data monitor correlates events arriving from one sensor with events arriving 
from another sensor. When qualifying events occur on either or both sensors, the Event Reconciliation 
data monitor issues a new event to signal it. 

You typically use this data monitor to determine the effectiveness of a firewall or IDS deployed in your 
environment. 

One application is to place identically configured NIDS on either side of a firewall to determine which 
attacks are blocked by the firewall and which are not. Identical N IDS may also be wired in series to 
guarantee that none of the NIDS have been tampered with. Different NIDS may be wired in series to 
compare what each detects, either for evaluation purposes or to predict what attacks they may be 
missing as a group. 

For example, you could define an event reconciliation data monitor that displays information about the 
number of events originating within the outside IDS (IDS1), and the inside IDS (IDS2), and the events 
that are filtered through the firewall. This presumes that events have the same custom string 1 source 
address, and that the target address field values are similar. 

The Event Reconciliation is similar to "Session Reconciliation Data Monitor" in many respects. Their 
main difference is in the way each handles the scope of reconciliation sessions. Event Reconciliation 
focuses on accomplishing a certain number of event matches; Session Reconciliation permits an 
indeterminate number of matches while appropriate events continue to occur. 


Event Reconciliation Data Monitor Properties 


Parameter 

Description 

Data 

Monitor 

Name 

Type a data monitor name. 
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Event Reconciliation Data Monitor Properties, continued 


Parameter 

Description 

Enable 

Data 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration does not display any data. 

Monitor 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Restrict by 
Filter 

Specifies whether to restrict the data monitor to a particular filter. Filtering reduces the 
number of events the data monitor has to process. From the drop-down menu, double- 
click a filter or accept the default to receive all events. 

Availability 

Interval 

Sets the number of seconds to use as the interval between data monitor updates. 

Select 

Specify a field set for use in data monitor drill-downs. 

Field Set 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 


The field set specified here determines the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 

Matching 

Fields 

The set of fields to consider when establishing whether two events match. 

Filter 1 

Fields 

Fields passed by Filter 1 that can be included in resulting correlation events. These 
correlation events contain a union of the Filter 1 and Filter 2 Fields. 

Filter 1 

Population 

Fields 

Select a filter for the first device's event flow. 

Filter 2 

Fields 

Fields passed by Filter 2 that can be included in resulting correlation events. These 
correlation events contain a union of the Filter 2 and Filter 1 Fields. 

Filter 2 

Population 

Fields 

Select a filter for the second device's event flow. 

Matching 

Time 

Window 

The period of time (in seconds) within which two appropriate events need to be 
received to qualify as a match. 

Event 

Expiration 

Time 

This is the amount of time (in seconds) that an event is kept in memory while seeking a 
matching event from the other device's event flow. 
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Event Reconciliation Data Monitor Properties, continued 


Parameter Description 

Correlate 

On 

Choose an event-receipt circumstance for generating a reconciliation event. The 
options are as follows. 

• Matching Events 

• Filter 1 Events Only 

• Filter 2 Events Only 

Correlation 

Thresholds 

This specifies the thresholds at which correlation events are created for the events 
specified in the Correlate On parameter. This field takes one number or a comma- 
separated list of three numbers. If you specify one number, it is used as the threshold 
for all the conditions. If you specify three numbers, they are applied respectively to the 

Correlate On values. 

Correlation 

Interval 

The interval (in seconds) to require between correlation events. 


The data monitor displays a table view of qualifying events. You can sort on individual fields to display 
the most interesting cases on top. The following fields generate correlation events. 

Correlation Event-Generating Fields 

The Event Reconciliation Data Monitor displays a table view of qualifying events. You can sort on 
individual fields to display the most interesting cases on top. The following fields generate correlation 
events. 


Fields that Generate Correlation Events 


Correlation 

Event 

Description 

Moving Average Event Fields (and the group-by fields are set) 

Event Name 

Name of the data monitor 

ArcSight 

Category 

/metaevent 

Custom 

Number 1 

abs(count - moving_avg)/ moving_avg * 100 

Custom 

Number2 

count - moving_avg 

Custom 

Number 3 

statistics 
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Fields that Generate Correlation Events, continued 


Correlation 

Event 

Description 

Base Event 

Count 

count 

eventCategory, 

if ( count - statistics = 0 ): 

Customstring 

1 

eventCategory = /datamonitor/movingaverage/threshold 

Custom String 1 = datamonitor:002 


if( < 0 ) eventCategory = /datamonitor/movingaverage/threshold/fallingCustom 
String 1 = datamonitor:003otherwise:eventCategory = 

/datamonitor/movingaverage/threshold/risingCustom String 1 = datamonitor:004 


Statistics Events (and the group-by fields are set) 


Event Name 

Name of the data monitor 

ArcSight 

Category 

metaevent 

Event 

Category 

/datamonitor/statistics/<Statistics Name> 

Custom String 

1 

datamonitor:006 

Custom 

Number 1 

count 

Custom 

Number2 

statistics 


Correlation Data Monitor 


Event Name 

Name of the data monitor 

ArcSight 

Category 

/metaevent 

Event 

Category 

/datamonitor/correlation 

Custom String 

1 

datamonitor:007 

Custom 

Number 1 

Filter 1 count 

Custom 

Number2 

Filter 2 Count 
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Fields that Generate Correlation Events, continued 


Correlation 

Event 

Description 

Custom 

Number 3 

Correlation Value 

Event Reconciliation (the rule chain and matching fields are set) 

Event Name 

Name of the data monitor 

ArcSight 

Category 

/metaevent 

Event 

Category 

Event Reconciliation 

Custom String 

1 

Filter 1 Events/Filter 2 Events/Matching Events 

Event Type 

Correlated 


Geographic Event Graph Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see “"Creating a Data Monitor" on page 246”. 

This data monitor draws a real-time geographic map of selected events. In effect, it does automatically 
and in real-time what you can do manually, as described in "Graphing Attacks" on page 270. 


Geographic Event Data Monitor 


Parameter Description 

Data 

Monitor 

Name 

A unique name for the monitor. 

Enable 

Data 

Monitor 

Select this check box to "switch on" the monitor and collect data from the Manager. If 
cleared, the monitor is "off" and displays no data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Restrict by 
Filter 

Choose a filter resource with which to restrict the events that can affect the graphic. 
Filtering reduces the number of events the data monitor has to process. From the drop- 
down menu, double-click a filter or accept the default to receive all events. 

Availability 

Interval 

Sets the number of seconds to use as the interval between data monitor updates. 
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Geographic Event Data Monitor, continued 


Parameter Description 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here determines the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 

Max Event 

Count 

Set the greatest number of most-recent events the map can show. 


Hierarchy Map Data Monitor 

The data monitor type is chosen when you create a new data monitor. (For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246.) This data monitor draws an image made up 
of proportionally sized panels where each panel represents a group of events selected by group fields 
selected in the source node identifier. A source-node criteria could be a combination of fields. 

Features 

The Hierarchy Map data monitor includes the following features. 

• The data monitor shows the complete hierarchy, with the hierarchy path built not just by using the 
delimiter within afield value but also across different field values. (Previous versions of the data 
monitor did not show the complete hierarchy.) 

• Group By fields provide options to specify a list of delimiters for use by each selected Group by 
field. By default, no delimiters are used, if no delimiters are specified then the whole field is taken as 
a single level for hierarchy. (Previous versions built the hierarchy path within a field value based on 
only one type of separator, a forward slash, which did not support fields that use other separators 
like a backward slash, Y, or a dot, ) 

Group By fields also provide an option to set the maximum depth level of hierarchy within a field. The 
default depth level is equal to the number of delimiters in the field. Entering 0 for this option signifies 
no depth level for the selected field, effectively defining the field as a single-level hierarchy. 

• A list of Group Attributes can be specified as a drill-down display to show when a user drills down 
into a group. For each attribute, the user can select a field and a function (max, min, count, average, 
count unique) on that field value. 

• Enhanced visualization tools for label, size by, and color by provide fine-grained control of hierarchy 
map display with regard to Group By and Group Attributes fields and values. 
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Use Cases 

Following is a list of example use cases for which the Hierarchy Map data monitor is a useful 
monitoring tool. 

• Display the number of matches for all the rules within a given timeframe, with the hierarchy groups 
based on the File path field of the rule audit events. The value is the count of the events for each 
group. The goal would be to show which rules fired the most in a given time frame. 

• Show table space usage of correlation resources, particularly session lists and active lists. 

• Show memory usage for correlation resources, particularly session lists and active lists. 

• Show assets hierarchy by networks, zones and subnets. Within subnets, the assets can be sub- 
divided into asset ranges. 

• Show assets hierarchy divided by the location of assets, where the value on the map is the count of 
the events targeting those assets. 

• Show assets hierarchy divided by the location of assets, where the value on the map is the count of 
the assets within those locations. 

• Monitor resource distribution; that is, how many rules, reports, data monitors and so on are being 
used in the system, where the count is system storage space. 

• Display events by device to show how many events are generated from each device in a given time 
frame (for example, the past two days). 

• Show assets by the number of attacks each receives, to determine which assets are the most 
vulnerable. 

The following topics show how to create a hierarchy map data monitor. Woven into these topics is a 
simple example that shows how to map high priority, significant events and targeted systems. 

Defining a Hierarchy Map Data Monitor 

First, create a new data monitor and select Hierarchy Map as the Data Monitor Type in the Data 
Monitor editor. (For information on how to create a data monitor and define the type, see 'Creating a 
Data Monitor" on page 246”.) 

To define the details of the Hierarchy Map Data Monitor, specify these attributes in the editor. 


Hierarchy Map Data Monitor 


Parameter 

Description 

Data 

Monitor 

Name 

A unique name for the monitor. 
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Hierarchy Map Data Monitor, continued 


Parameter 

Description 

Enable 

Data 

Monitor 

Select this check box to "switch on" the monitor and collect data from the Manager. If 
cleared, the monitor is "off" and displays no data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Restrict by 
Filter 

Choose a filter resource with which to restrict the events that can affect the graphic. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here determines the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 

Source 

Node 

Identifier 

This is a group by identifier. Blocks in the hierarchy map represents events or objects 
that have matching values for all fields chosen here. Also, identifiers specified here are 
available as Label By, Size By, and Color By choices on the displayed data monitor. 

Choose one or more event attributes by which to group events. The default attribute is 
Category Behavior, but you can include multiple attributes. 

For example, if you select only Category Behavior for this field, events are grouped by 
category behavior (for example, all events with a category behavior value of /Access 
are shown in one block, all events with a category behavior of /Authentication/Verify in 
another block, and soon). 

If you select more than one source node identifier, each block in the hierarchy map 
represents events or objects that have the same values for all identifiers. 

For example, if you select Category Behavior and Event Name as source node 
identifiers, then each block in the map represents events of the same behavior and 
event name. 

See "Specifying the Source Node Identifiers" on the next page for more information. 

Group 

Attributes 

You can specify one or more group attributes for fields with numerical values (for 
example, calculate the maximum priority of all events in a field group). The attributes 
you specify here are shown as drill-down tooltips when you mouse over a field on a 
hierarchy map display. You can add these attributes by specifying a label, afield, and a 
function to apply to the field. The functions can be applied on numeric fields only. See 
"Specifying Group Attributes" on page 961 for more details. 

Also, group attributes specified here are available as Label By, Size By, and Color By 
choices on the displayed data monitor. 
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Tip: If data monitor attributes are changed (edited) while a user is viewing the data monitor in a 
dashboard, the current data is flushed and the map defaults to red until new data arrives and the 
map display is redrawn. 

Adding Variables 

To add a variable, click the Variables tab. For more on using variables in resources, see 'Variables" on 
page 1069. 

Specifying the Source Node Identifiers 

Source node identifiers are “group by” attributes. For example, if you select only Category Behavior for 
this field, events are grouped by category behavior. Each block in the hierarchy map represents a 
different type of category behavior (for example, /Authentication, /Authentication/Verify, 
/Execute Response/Informational, and so forth). If you select both Category Behavior and Target 
Address here, each block in the hierarchy map represents events with the same category behavior on 
the same target system (IP address or host name). 

To specify one or more Source Node Identifier (Group By) fields, click in the Source Node Identifier 
field, then click the button k— I to open the Field Selector dialog. Specify the fields by which you want to 
group events or objects by clicking Available Fields checkboxes, which adds them to “Fields to Show”. 
(To remove a field, select it under Fields to Show and click the delete button ”#~ 1 . Click up/down 
arrows to re-order fields.) 



For example, we can group by Category Behavior, Category Significance, and Target Address, which 
provide meaningful groups (events with the same category behavior, significance, and target address), 
and give us some interesting label, size, and color display options for mapping significant events and 
targeted systems on the data monitor. 
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Hierarchy Levels and Group Delimiters 

You can specify how many levels of hierarchy you want to display for a field group by specifying one or 
more (a group of) delimiters and the maximum depth of hierarchy to display. For example, if you have a 
field value, http://www.foo.com, for which you have specified the depth level (Max Depth) as 2 with 
delimiters set to a group (consisting of : // . ), you see: 

• First level: http:// 

• Second level: http://www.foo.com 

For the same example, if you set the Max Depth to 3, you get: 

• First level: http:// 

• Second level: http: //www 

• Third level: http://www.foo.com 

To select afield to display and set its hierarchy depth level: 

1 . Open the Hierarchy Map Field Selector dialog by clicking the browse button !•— I that is displayed 
when you click in the Source Node Identifier field. 

2. To add afield, check (click) the check box next to the field in the Available Fields scroll box. As 
you select a field, it is displayed in the Fields column in the “Fields to Show” table on the right side 
of the dialog. 

3. Double-click the Delimiter column for the field you just selected and enter one or more delimiters 
based on which you want to show the hierarchy depth. 

By default, a forward slash (/) is set as the delimiter. To set a single level of hierarchy, delete the 
and do not specify any delimiters. Also, set the Max Depth (as explained in the next step) to 
zero for that field. If you set a comma (,) as a delimiter, the hierarchy in the panel displays a 
backslash (\). 

4. To specify the depth of the field hierarchy within afield, double-click the Max Depth cell for the 
field. 


Note: Negative integers are not allowed. If you enter a negative integer, it defaults to-1 which 
represents a depth level equal to the number of delimiters in the field. 

If you leave this field blank, it defaults to a depth level equal to the number of delimiters in the 
field and -1 is displayed in the Max Depth column. 

To display the whole field as a single level of hierarchy, set the Max Depth value to 0. 
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Specifying Group Attributes 

Optionally, you can specify group attributes, which are functions on numerical fields. These attributes 
are shown as mouse-over tooltips on groups (blocks) on a displayed hierarchy map. They are also 
available as label, size, and color options. 

For each attribute you want to add, provide a label, a function, and a field to which to apply the function. 
This can be done on numeric fields only. For example, if you add an Event Count label, select the Sum 
function, and apply this to the aggregatedEventCount field, the function finds the sum of event count 
value. 

To add group attributes: 

1 . Click the Group Attributes cell. A browse button Q is displayed. 

2. Click the browse button. The Group Attributes dialog opens. 


Group Attributes 





Label 

Function 

Field 

Event Count 

Sum 

aggregatedEventCount 

Priority 

Max 

priority 

< Enter Label > 

< Select Function > 

< Select Field > 


| OK 

Cancel 

Help 


3. Click the Label column and enter a name for the attribute you want to create. You can add multiple 
labels. 

4. Click the Function column for a label and select a function to be applied to a field that you select 
in the next step. You can set a function for a numeric field only. 

5. Click the Field column against a label and select a field to which to apply the function. 


For example, we’ll create two labels, Event Count and Priority, and map them as follows. 


Label 

Function 

Field 

Event Count 

Sum 

aggregatedEventCount 

Priority 

Max 

priority 


On the displayed map, the mouse-over tooltip on each block (group) shows both the event count and 
the highest priority events included in that block. Also, specified group attributes (Event Count and 
Priority, in this case) are available as Label By, Size By, and Color By options on the data monitor. 
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Hierarchy Map Display and Visualization Controls 

After you create a Hierarchy Map Data Monitor, add it to a dashboard to display it so you can make 
further adjustments to the display. 

Map Display and An Example 

If no dashboards are displayed in the Viewer, simply right-click the Data Monitor you created, and 
select Add to Dashboard As > Area Map. This creates a new, untitled dashboard and add the data 
monitor to it. (You can also add it to an existing dashboard.) 

The hierarchy map shown below is an example of the data monitor displayed on a dashboard. 



You can choose “Hierarchy Map” as the Data Monitor type when you create a new Data Monitor. To 
display the data monitor, add it to a Dashboard. 

Tip: More reminders on working with the Hierarchy Map data monitor 

. Before you can edit the visualization controls on the Hierarchy Map data monitor, you need to 
first add the data monitor to a dashboard and display the dashboard, as described just before 
figure above. 

. If data monitor attributes are changed (edited) while a user is viewing the data monitor in a 
dashboard, the current data is flushed and the map defaults to red until new data arrives and the 
map display is redrawn. 
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The example data monitor above shows events grouped by category behavior, significance and target 
address. The labels show category behavior, and the blocks are sized by priority and colored by 
significance. Mouse-over tooltips show event count and priority for each group. Note that we can 
change the display on-the-fly by choosing a different label, size, and color options. For example, 
instead of coloring the blocks by Category Significance, we could color by Target Address. Or, instead 
of labeling by Category Behavior, we could label by Target Address. In this way, we can get quick, real- 
time, graphical overviews of network activity and adjust options to emphasize different details. 

Labels, Size, and Color Controls 

The visualization controls for Hierarchy Map Data Monitors are Label By, Size By, and Color By 
controls. (You might need to float the Viewer panel and expand the floating Viewer to see these 
controls. See "Changing the Console Display" on page 76.) 

• Label By - Select a label. The value of the label you select is displayed on each block. 

■ The default for Label By is all the fields specified for the source node identifier and the event 
count for that grouping. This shows as “Default” in the field. (The values available for use in the 
Label By field come from the attributes defined for Source Node Identifier and Group Attributes 
fields on the data monitor Editor. See "Source Node Identifier" on page 958 and "Group 
Attributes" on page 958 for more information.) 

■ If Label by is set to something other than the default, the last (bottom-most) field value in the 
hierarchy does not show on the map because the custom Label by setting overwrites it. 

However, data for all fields, including the last field, is always taken into account on the map. 

Use the default Label By option to show/visualize the complete hierarchy, including the last field 
value. 

• Size By - Select an identifier or attribute by which you want to size the blocks. Once you select the 
Size By attribute, the blocks are resized proportionate to the value selected. Only attributes that 
have numeric values are available, because you cannot size a block based on a non-numeric value. 

The values available for use in the Size By field come from the attributes defined for the Group 
Attributes field on the data monitor Editor. See "Group Attributes" on page 958 for more information. 

• Color By- Select identifier or attribute by which you want to color the blocks. 

The values available for use in the Color By field come from the attributes defined for Source Node 
Identifier and Group Attributes fields on the data monitor Editor. See "Source Node Identifier" on 
page 958 and "Group Attributes" on page 958 for more information. 

If you select a non-numeric field, you can change the color for any discrete value. If you select a 
numeric field, you get the option to select either a color for a discrete value or a color for a range of 
values. (For more on this option, see "Selecting Colors for the Blocks" on the next page.) 

Afteryou select label, size, and color values, be sure to save the dashboard. The next time you open 
the dashboard, the attributes you saved are applied to the next set of data. 
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Format controls for the Hierarchy Map are available as drop-down menus on the map display in a data 
monitor. 


Note: After an edit of tree map attributes, there might be a time lag before there is a visual 
indication of the updates. You can force a redraw of the tree map by dragging the slider to resize 
the panel that contains the map. 


Selecting Colors for the Blocks 

You can color the blocks by selecting any of the Source Node Identifiers or Group Attributes that are 
displayed in the Color By drop down menu. For example, if you select Priority in the Color By menu, 
then all blocks that have the same priority are displayed in the same color, such as all blocks with 
priority 1 may be displayed in red and all blocks with priority 2 may be displayed in blue, and soon. 

If the Color By attribute you select is discrete but non-numeric, you can define the colors for each value 
of the attribute. For attributes that have numeric values, you can individually assign a color per attribute 
value or specify a range and assign a color for that range. However, if the Color By attribute is Priority, 
you cannot specify a range. This is because there are already predefined colors for each level of 
priority. You can change a predefined color to a color of your choice for each priority level. 

Below the Label By, Size By and Color By fields, is the Color Chooser box. This box displays all the 
values forthe Color By group/field that you select. To individually assign a colorforan attribute: 

1 . Click the Discrete radio button (This button is visible only if you selected a numeric Color By 
attribute). 

2. Double-click a value button to open the Color Chooser dialog. 

3. Select a color that you want to display for all the boxes for which that value is applicable. 

4. Click OK. 
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All the boxes that have that value is displayed in the new color. 

You can set a threshold for the maximum number of discrete values for which you can set a color. Set 
the console. ui.hmDataMonitor. discrete. threshold property in the 

console, defaults, properties file. If the number of discrete values exceeds this threshold, for all 
values that cross the threshold, the color is set to white. 

To assign a color for a range of values (for numeric fields only): 

1. Click the Range radio button. 

2. Click Add button to set a range and a colorforthat range. The Add a color mapping dialog opens. 

3. Select a value from the Min Attribute Value and Max Attribute Value menus to set the range. 

For example, if you want to set a range for Priority that falls in 3-to-6 range, select 3 from the Min 
Attribute Value menu and 6 from the Max Attribute Value menu. 

4. Click the Color Chooser button to open the color chooser. 

5. Select a color by clicking it and click OK. The color you choose is used to display all values falling 
in that range. In our range example in step 3, all blocks that display priority of 3, 4, and 5 have the 
color you just chose for the 3-6 range. 


Tip: If new data comes in after you change the color mapping but before you save the new 
mapping, you get a dialog asking you whether you want to save the changed mapping. If you 
select Yes, the Data Monitor is not refreshed with new data until you save the new mapping. 
When you save it, the new mapping is applied to the existing blocks and all future data 
displayed on the dashboard. 

If you select No, the new color mapping is applied to the existing data on the dashboard, but 
is noe saved in the database. So, as soon as new data arrives, the new color mapping is 
overwritten by the original color mapping that exists in the database. 


Hourly Counts Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see “"Creating a Data Monitor" on page 246”. 

The Hourly Counts Data Monitor displays the total count of events on an hourly basis along with their 
Priority. The hourly count for the first hour segment starts when you open the dashboard. For example, 
if you open the dashboard at 2:25 PM, though the first time segment displays 14:00 - 15:00, the count 
begins at 2:25 PM. 
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Hourly Counts Data Monitor 


Parameter Description 

Data 

Monitor 

Name 

Enter a data monitor name. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Enable 

Data 

Monitor 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Restrict by 
Filter 

Choose a filter resource to restrict the data monitor's contents. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here will determine the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 


As an example, you could design an Hourly Counts data monitor that displays hourly counts of data 
being collected, for example, the number of events that Manager receives. 


Last N Events Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246”. 

The Last N Events data monitor orders events based on its configuration. In the Table Viewer, the 
monitor displays the most recent events by Priority, Event Name, Protocol, and Category. With the 
BarChartTable configuration, the order is by Priority and Event Name. The PieChart configuration is 
ordered by Priority. 


Last N Events Data Monitor 


Parameter 

Description 

Data 

Monitor 

Name 

Type a data monitor name. 
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Last N Events Data Monitor, continued 


Parameter Description 

Enable 

Data 

Monitor 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Restrict by 
Filter 

Choose a filter resource to use as an additional restriction on the events displayed. 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here will determine the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 

# of 

Events 

Specify how many events the data monitor displays. 

Field 

Names 

Choose field names to include in the data monitor display. By default, the data monitor 
includes EventName, EventCategory, ArcSight Severity, and Protocol fields. You can 
select additional fields or remove currently selected fields by Shift or Ctrl-clicking field 
names in the drop-down list. 


As an example, you could design a Last N Events data monitor that displays the latest N events that 
meet the condition specified in the dashboard definition. 


Last State Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see “"Creating a Data Monitor" on page 246”. 

This monitor is somewhat different than others in that it provides an extra level of abstraction that you 
can use to simplify the information presented to operators. Sometimes called "indicator lights" or 
"heads-up displays," these monitors show graphics that translate more complex values into simple, 
rapidly observable results such as green/amber/red "signal lights" or checkmark/asterisk/exclamation 
point symbols. "Last State" data monitors could also be called "most recently known state" monitors. 

Last State data monitors are built on the information collected by "Active Lists" on page 787. The 
qualifying events in active lists are identified on the basis of selected key fields such as Source Zone 
and Source Address (see Data Fields" on page 885). 
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Having focused on the events that apply, you then select a field to use as the basis of the values the 
indicators will simplify. For example, the Priority field has a range of values you could divide into sub- 
ranges that you choose to translate into good/okay/bad groups. 

With a value-range and status-scheme decided, you can map the field values to the status names, and 
the status names to the visual indicators operators will see. 

Last State Data Monitor Parameters 

Last State Data Monitor 


Parameter 

Description 

Data 

Monitor 

Name 

A unique name for the monitor. 

Enable 

Data 

Monitor 

Select this check box to "switch on" the monitor and collect data from the Manager. If 
cleared, the monitor is "off" and displays no data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Restrict by 
Filter 

Choose a filter resource to use as an additional restriction on the events summarized 
through the indicators, if necessary. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here will determine the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 

Restrict by 
Active List 

Choose an active list from the resource tree to use as the primary guide for event 
selection. 

Key Fields 

Choose the fields to use as identifiers for the indicators, and the order in which to 
display them. 

Value 

Fields 

Select the fields that provide the range of values to be mapped into indicators, and the 
order in which they are to be evaluated. 

Max 

Number of 

Indicators 

Set the greatest number of qualifying indicators the data monitor will show. If more 
indicators are generated, the displayed set will be the those with the most recent event 
traffic. 
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Last State Data Monitor, continued 


Parameter Description 

Mapping 

Use the Define Status Map dialog box in two steps: first, on the Statuses tab, to 
associate status Titles with Image graphics, then, on the Mapping tab, to associate 
Value items contained by the Value Fields with the Statuses titles just defined. Be 
sure to define and select one "catch all" status to react to values that may fall outside 
the range you set. 

In the Value field, associate only one value at a time with the Status values you've 
defined. For example, if the values 0, 1 , and 2 should all be associated with a Status of 
"Okay," enter each digit separately and click Add. 

Use as 
Timestamp 

Choose whether to use the device's reported end-time or the Manager's receipt time as 
the definitive timestamp. 

History 

Function 

Use this option to add a Min or Max column to grid views that shows the minimum or 
maximum value for the indicator, over the most-recent time period specified by History 
Time Range. 

History 

Time 

Range 

Used with the History Function. The (most recent) period of time, in minutes, for which 
to retain minimum or maximum value information for an indicator. For example, a value 
of 60 could cause an indicator's Max column in a table to show its highest registered 
value over the previous hour. 

Timeout 

Used with the History Function. Sets the time limit, in seconds, after which the Min 
and Max column values are purged if not already updated. 


Options for Table and Tile Views 

In dashboards, you can see Last State data monitors as Table or Tile views. Click the View as icon ( 
) button at the lower-right cornerto choose Table or Tile view. 

The Table view will show more items than a modified Tile view. If the Tile view is customized to show 
results with particular values for key fields, it will show only a subset of the data monitor results. 

A color chooser is available to apply to the Table view. 

Table View (Color Chooser and Remove Entry) 

Also in Table view, you can right-click an entry in a Last State data monitor and choose Remove 
Entry. However, keep in mind the data monitor's "Availability Interval" setting. Removal does not 
visibly take place until the next refresh, during which time a new instance of the entry could occur. 
Depending on the entry and the interval, a removed entry may appearto have remained. 

Tile View (Customize View) 

When in Tile view, you can use the Customize button (@) to change the way data is ordered in the 
tabular (tiled) presentation, and limit the view to a subset of data monitor results. The customization 
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choices are by row-and-column and by cell. Row-and-column is quicker to set up than cell because 
there are fewer adjustments, but cell does give you the option to set the contents of each tile in the data 
monitor. The custom settings here, in effect, filter your view based on values you specify for key fields. 
For example, if you are interested in monitoring state changes on only four systems identified by target 
host name and target address; you can customize the view on a dashboard to show only those four 
systems. 



These tiled views are "fixed" meaning that the tiles in the array will hold their positions, relative to each 
other and to the dashboard. 
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The customize view option on the Last State Data Monitor tile view gives Console users a way to 
design their own views and then get quick visuals on a few key assets or attackers: 

• Set up a custom, focused view of a few items that you are interested in (assets like servers that 
might be targets of attacks, suspicious nodes that might be attackers, and so forth). You do this by 
submitting values for the items you want to monitor (for example, host names and addresses, if 
those are your key fields). 

• In a single glance, get information on state changes in different priority events (low, medium, high) 
in these few items. Since the positions of the items in your custom tile view does not change, and 
because you have limited the view to a few key items, you can get last state status with a quick 
glance. 

• ArcSight Console users can customize dashboard views that use the same underlying Last State 
Data Monitor, but focus in on different items or assets (depending on how the data monitor custom 
view is set up on each dashboard). Fred could have a dashboard set up to monitor a few key servers 
based on host name and address, while Ethel could have a dashboard set up to monitor some 
firewalls, and both could be using the same underlying data monitor. 


Tip: Notes on the Customize view option for Last State Data Monitor 

■ This is a dashboard-level customization that essentially filters the view based on values you 
provide for key fields. The key fields that show up in the Viewer Settings come from the key 
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fields set in the data monitor. 

■ A priority mapping needs to be configured in the data monitor in order for the quick-glance 
tile view to provide useful last state information 

■ Customizations made to the Last State Data Monitor are saved to the dashboard that holds 
the data monitor, not to the data monitor itself. This allows the same data monitor to be used 
as a basis for different, customized views (dashboards) for quick-glance, priority state 
changes related to incoming events. 

■ The Customize view option applies only to the Tile view (not Table view). When you switch 
to the Table you can see results for other items in addition to the ones you “filtered” 
for on the customized Tile view. 


Options for Table and Tile Views 

In dashboards, you can see Last State data monitors as Table or Tile views. Click the View as icon ( 
==- ) button at the lower-right cornerto choose Table or Tile view. 

The Table view will show more items than a modified Tile view. If the Tile view is customized to show 
results with particular values for key fields, it will show only a subset of the data monitor results. 

A color chooser is available to apply to the Table view. 

Table View (Color Chooser and Remove Entry) 

Also in Table view, you can right-click an entry in a Last State data monitor and choose Remove 
Entry. However, keep in mind the data monitor's "Availability Interval" on page 958 setting. Removal 
does not visibly take place until the next refresh, during which time a new instance of the entry could 
occur. Depending on the entry and the interval, a removed entry may appear to have remained. 

Tile View (Customize View) 

When in Tile view, you can use the Customize button (@) to change the way data is ordered in the 
tabular (tiled) presentation, and limit the view to a subset of data monitor results. The customization 
choices are by row-and-column and by cell. Row-and-column is quicker to set up than cell because 
there are fewer adjustments, but cell does give you the option to set the contents of each tile in the data 
monitor. The custom settings here, in effect, filter your view based on values you specify for key fields. 
For example, if you are interested in monitoring state changes on only four systems identified by target 
host name and target address; you can customize the view on a dashboard to show only those four 
systems. 
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These tiled views are "fixed" meaning that the tiles in the array will hold their positions, relative to each 
other and to the dashboard. 



The customize view option on the Last State Data Monitor tile view gives Console users a way to 
design their own views and then get quick visuals on a few key assets or attackers: 
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• Set up a custom, focused view of a few items that you are interested in (assets like servers that 
might be targets of attacks, suspicious nodes that might be attackers, and so forth). You do this by 
submitting values for the items you want to monitor (for example, host names and addresses, if 
those are your key fields). 

• In a single glance, get information on state changes in different priority events (low, medium, high) 
in these few items. Since the positions of the items in your custom tile view does not change, and 
because you have limited the view to a few key items, you can get last state status with a quick 
glance. 

• ArcSight Console users can customize dashboard views that use the same underlying Last State 
Data Monitor, but focus in on different items or assets (depending on how the data monitor custom 
view is set up on each dashboard). Fred could have a dashboard set up to monitor a few key servers 
based on host name and address, while Ethel could have a dashboard set up to monitor some 
firewalls, and both could be using the same underlying data monitor. 


Tip: Notes on the Customize view option for Last State Data Monitor 

■ This is a dashboard-level customization that essentially filters the view based on values you 
provide for key fields. The key fields that show up in the Viewer Settings come from the key 
fields set in the data monitor. 

■ A priority mapping needs to be configured in the data monitor in order for the quick-glance 
tile view to provide useful last state information 

■ Customizations made to the Last State Data Monitor are saved to the dashboard that holds 
the data monitor, not to the data monitor itself. This allows the same data monitor to be used 
as a basis for different, customized views (dashboards) for quick-glance, priority state 
changes related to incoming events. 

■ The Customize view option applies only to the Tile view (not Table view). When you switch 
to the Table ), you can see results for other items in addition to the ones you “filtered” 
for on the customized Tile view. 


Moving Average Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246”. 

The Moving Average data monitor displays the moving average of events by a selected data field. The 
display provides a running count of events within a specified time frame and generates an event when 
the moving average changes significantly. 

If a Moving Average data monitor is configured to display multiple graphs simultaneously, you can open 
it using the Statistics Chart or Tile format options described in "Managing Dashboards" on page 241. 

This data monitor calculates its statistics based on the number of requested samples. Until a full set of 
samples accumulate, the statistics approach their nominal value. This is indicated by appending 
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/Partial to the event category if the values represent an incomplete sample. The purpose is to prevent 
false positives. This is most applicable to /DataMonitor/MovingAverage/Threshold/ events. 

When either the Moving Average or Statistics data monitors gain or lose a value grouping during 
processing (for example, Priority), they issue an internal event. The data monitor's event categorization 
shows a Value/Add or Value/Remove suffix. This makes it possible to detect anomalous drops to zero, 
which can otherwise be missed if the monitor is removed because the discard threshold and a 
Threshold/Falling event could not be sent (due to exceeding the Maximum Alarm Frequency setting. 

Both the Moving Average and Statistics data monitors have a Stats Value Field. When used, this 
attribute focuses the monitor's statistical analysis on the numeric value of a specified field rather than 
on the quantitative flow of events. Analyzing numeric fields within events enables a broad number of 
possibilities for status monitoring, especially with custom strings and ArcSight "Audit Events". 

The Value Calculation field offers additional time-sensitive options for monitoring in second or minute 
increments. Monitoring per-second can catch abrupt spikes or drops; monitoring per-minute allows the 
same capability but may be more appropriate for larger integer values. 


Moving Average Data Monitor 


Parameter Description 

Data 

Monitor 

Name 

Type a data monitor name. 

Enable 

Data 

Monitor 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable (deploy) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Restrict by 
Filter 

Specifies whether to restrict the data monitor to a particular filter. When restricting by 
filter, you focus on a filter that is of particular interest to you and also reduce the 
number of events the data monitor retrieves. From the drop-down menu, double-click a 
filter or accept the default to receive all events. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here will determine the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 
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Moving Average Data Monitor, continued 


Parameter 

Description 

Stats 

Value Field 

Specify a particular numeric field within events to use for statistical evaluation, rather 
than the overall flow of events. For example, specifying the Priority field would focus 
the data monitor on changes to the value of the Priority field in events, instead of on 
changes to the number of events encountered. 

The default is Aggregated Event Count, which is the sum of all aggregated events. 

Tip: Events can be aggregated at the Connector on specified fields. This pares down 
the number of events of the same type that the Manager must process. 

Value 

Calculation 

Controls the way the time-based accumulation of values is evaluated against the 
number of events involved. 

The default is Sum of values, which is the sum of all Stats Value Field event values. 

Average value per event divides the value by the number of events in the unit. 

Average value per second divides the value by the number of seconds in the unit. 

Average value per minute divides the value by the number of minutes in the unit. 

For finer time-sensitive value calculations, also consider using the Number of 

Samples and Sampling Interval so results are neither too shallow or too acute to be 
meaningful. 

Group By 

Group by the specified field (for example, Priority) 

Sorted By 

Sort by the values found in fields or by the percentage of change in those values. 

Alarm 

Change 

Threshold 

(%) 

Specifies the moving average threshold, the percent change from the moving average, 
that will send a threshold exceeded event to the ArcSight Console. The threshold 
exceeded event is sent to the Console and can be used to create a rule. For more 
information on rules, see "Managing Rule Actions" on page 51 5. Type in a percentage. 
The default is 50. 

Number of 
Samples 

Type the number of Sampling Intervals to use to calculate the moving average, in 
seconds. The most recently stored Sampling Intervals are used to calculate the 
moving average. For example, if five Number of Samples are used, the last five 
Sampling Intervals are used to calculate the moving average. 

Number of 

Visible 

Groups 

Set the number of rows of results to display in the data monitor for each combination of 
ordering fields specified in the Group By parameter. 

Sampling 

Interval 

Type the time interval used to calculate the moving average, in seconds. For example, 
if the Sampling Interval is 5 minutes, the moving average is calculated every 5 
minutes. The default is 300. 
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Moving Average Data Monitor, continued 


Parameter Description 

Group 

Discard 

Threshold 

Specifies the minimum event counts needed to generate a threshold exceeded event. 

For example, event count could change from 1 to 2, a 100% change that results in a 
threshold exceeded event. To prevent these types of changes from generating a 
threshold exceeded event, specify the minimum event counts needed. If you want all 
events generated regardless of the event count, type 0. 

Maximum 

Alarm 

Frequency 

Minimum time (in seconds) to wait before sending alarms for the same group. 


For example, you could design a Moving Average data monitor that displays the moving average of 
events on a per-source-address basis. 

In ArcSight Reports/Custom Reports/Moving Average Report, you can specify the name of the 
dashboard as a parameter (same as the moving average event name), and specify the detect time 
range to report on. 

Note: You can also have a rule trigger based on the moving average of events coming in, 
independent of defining reports based on moving average events. 


Rules Partial Match Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246. 

Displays rules that have partial matches and the total number of partial match events within a specified 
timeframe. See also "Automatically Disabled Rules " on page 1029. 


Rules Partial Match Data Monitor 


Parameter Description 

Data 

Monitor 

Name 

Type a data monitor name. 

Enable 

Data 

Monitor 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Window 

Size 

Specifies the time interval used to report partial match counts, in seconds. For 
example, if using 1 hour as the Window Size, each window displays partial match 
counts in hour intervals. The default is 3600. 


HP ESM (6.9.1c) 


Page 977 of 1106 



ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Rules Partial Match Data Monitor, continued 


Parameter 

Description 

Number of 

Windows 

To Display 

Type the number of Window Sizes to display. The default is 5. 

Fixed or 
Sliding 

Specifies when to begin the Window Size time interval. Choose Fixed to begin at time 
units, such as every hour, 1:00, 2:00, and soforth, or Sliding to begin at the current 
time and move backwards in Window Size time intervals. For example, if the window 
size is 10 minutes, and the current time is 1:15 PM and Fixed was selected, the 
window timeframes would be 1:00 to 1:09 and 1 : 1 0 to 1:15. If Sliding was selected, 
window timeframes would be 1:00 to 1:04 and 1:05 to 1:15. 


For example, you could design a Rules Partial Match data monitor that displays all events that have 
partially matched and enabled real-time rule conditions, and are currently stored in memory. 


Session Reconciliation Data Monitor 

You choose this data monitor type when you create a new data monitor. For information on how to 
create a data monitor, see “"Creating a Data Monitor" on page 246”. 

The Session Reconciliation data monitor correlates events on the basis of their occurrence within a 
relevant time period, as established by a "session" event. When an event is qualified as session- 
initiating by the Session Filter, a session begins. The session persists until it times out or a new 
primary event occurs. Point events (occurring within the session time period) cause a correlation event 
that contains selected information from both events. 

Note: We strongly recommend that you use the Session List feature to maintain session 
information instead of the Session Reconciliation data monitor. The Session List feature provides 
a more scalable, flexible, and powerful way to collect session data. 

You typically use this data monitor to watch network devices that involve longer-term concerns, such 
as DHCP leases. 

The Event Reconciliation Data Monitor" is similar to the Session Reconciliation Data Monitor in some 
respects. Their main difference is in the way each handles the scope of reconciliation sessions. Event 
Reconciliation focuses on accomplishing a certain number of event matches; Session Reconciliation 
permits an indeterminate number of matches while appropriate events continue to occur. 

The Session Reconciliation data monitor automatically compensates for session-initiating events that 
arrive out of order. 
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Session Reconciliation Data Monitor 


Parameter 

Description 

Data 

Monitor 

Name 

Type a data monitor name. 

Enable 

Data 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Monitor 

Depending on the permissions associated with the user group to which you belong, 
you may or may not have an option to Enable ( deploy ) or disable ( un-deploy ) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on 
page 257. 

Restrict by 
Filter 

Specifies whether to restrict the data monitor to a particular filter. This filter precedes 
the Session Filter and Point Filter. From the drop-down menu, double-click a filter 

resource. 

Availability 

Interval 

Sets the number of seconds to use as the interval between monitor updates. 

Select Field 

Specify a field set for use in data monitor drill-downs. 

Set 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 


The field set specified here will determine the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 

Session 

Filter 

The filter for those events that will initiate data-monitoring sessions. Compare to Point 
Event Filter. 

Matching 

Fields 

The set of fields to consider when establishing whether two events match. 

Session 

Inclusion 

Fields 

The fields to add to the generated event, from the session-initiating event, when 
correlation occurs. 

Point Event 

Filter 

The filter for the events that may match the events that initiate data-monitoring 
sessions. Compare to Session Filter. 

Point 

Inclusion 

Fields 

The fields to add to the generated event, from the point event, when correlation 

occurs. 

Expired 

Session 

Timeout 

The amount of time (in minutes) to retain a record of expired or replaced active 
sessions so that late or out-of-order point events can be properly processed. 
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Session Reconciliation Data Monitor, continued 


Parameter Description 

Active 

Session 

Timeout 

The time (in minutes) to allow before timing out a session if no new session events or 
point events occur. 

Point Event 

Holding 

Period 

The amount of time (in seconds) to retain point events to allow late or out-of-order 
session events to arrive and initiate sessions. 

Events to 

Generate 

Choose which types of correlation events are eligible to generate when session and 
point events match. 

• Point Event Matched Sessions - A session/point event-match occurred. A 
correlation event was generated containing the events' selected information. 

• No Session Matched Point Event - A point event occurred without a live matching 
session. No information is included in the correlation event. 

• Session Expired Event - Session expiration or replacement generates an event. 

Note that expiration or replacement is not complete deletion. 

• Session Pruned Event - Complete deletion of the session generates an event. 

Aggregation 

Threshold 

The number of matches to use as the threshold for generating a correlation event. 

Reporting 

Interval 

The interval (in seconds) to require between correlation events. 


Statistics Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246”. 

The Statistics Data Monitor provides a broader generalization of Moving Average data monitor 
functionality, except that it allows selection of other statistical methods in addition to Moving Average. 
Statistical methods include Average, Moving Average, Standard Deviation, Skew, and Kurtosis. These 
added capabilities could be used to detect anomalous behavior that could not be detected using moving 
average alone. 

For example, monitoring the standard deviation of event data allows alarms to be triggered when there 
are sudden shifts in the rate of change of an event flow. This would allow alarms to be triggered when 
the protected network has been infected with a worm, but not when the network traffic rises due to 
normal use. 

Both the Statistics and Moving Average data monitors have a Stats Value Field. When used, this 
attribute focuses the monitor's statistical analysis on the numeric value of a specified field rather than 
on the quantitative flow of events. Analyzing numeric fields within events enables a broad number of 
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possibilities for status monitoring, especially with custom strings and ArcSight "Audit Events" on 
page 812. 

In dashboards, you can see Statistics data monitors as Statistics Chart or Tile views. Click the View 
as icon button (i »- ) at the lower-right corner to choose. When in Tile view, you can use the 
Customize button (E) to change the way data is ordered in the tabular (tiled) presentation. The 
customization choices are by row-and-column and by cell. Row-and-column is quickertoset up than 
cell because there are fewer adjustments, but cell does give you the option to set the contents of each 
tile in the data monitor. 

When either the Moving Average or Statistics data monitors gain or lose a value grouping during 
processing (for example, Priority), they issue an internal event. The data monitor's event categorization 
shows a Value/Add or Value/Remove suffix. This makes it possible to detect anomalous drops to zero, 
which can otherwise be missed if the monitor is removed because the discard threshold and a 
Threshold/Falling event could not be sent (due to exceeding the Maximum Alarm Frequency setting. 

These tiled views are "fixed," meaning that the tiles in the array will keep their positions, relative to 
each other and to the dashboard. 


Statistics Data Monitor 


Parameter Description 

Data 

Monitor 

Name 

Enter a data monitor name. 

Enable 

Data 

Monitor 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Restrict by 
Filter 

Choose to restrict the data monitor to a particular filter. When restricting by filter, you 
focus on a filter that is of particular interest to you and also reduce the number of events 
the data monitor retrieves. 

Availability 

Interval 

Set the number of seconds to use as the interval between monitor updates. 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here will determine the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 

Statistics 

Type 

Choose the type of statistical calculation the data monitor will perform. The available 
types are Average, Identity, Kurtosis, Skew, Standard Deviation, and Variance. 
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Statistics Data Monitor, continued 


Parameter 

Description 

Stats 

Value 

Field 

Specify a particular numeric field within events to use for statistical evaluation, rather 
than the overall flow of events. For example, specifying the Priority field would focus 
the data monitor on changes to the value of the Priority field in events, instead of on 
changes to the number of events encountered. 

Group By 

Group by the specified field (for example, Name) 

Sorted By 

Choose to sort results by value, sample count, statistics, or triggering criteria. 

Alarm 

Trigger 

Condition 

Enter a conditional expression on which to trigger alarms. 

You can use any mathematical expression that employs these three variables, using n 

as the "Number of Samples" below: 

c = The new sample 

ps = Statistics from previous n samples excluding c 

s = Statistics from the last n samples including c 

For example, the following expression would trigger when the current sample goes 
beyond 500: 

c >= 500 

An expression that triggers when the statistics reach 500 would be: 

s >= 500 

As a matter of interest, the Moving Average data monitor is in effect a special case of 
the Statistics data monitor, based on this expression: s != 0 && (abs((c - s)/s) * 
100) >50 

where 50 is the percent of change you specify in the Moving Average data monitor. 

See "Data Monitor Expressions" on page 986 for more information about the operators 
and functions supported in this and similar data monitor parameters that accept 
conditional expressions. 

Number of 
Samples 

Specify the number of most-recent Sampling Intervals to retain in memory and use to 
calculate event statistics. For example, if you set it to retain 5 sampling intervals, the 
last five periods (as specified in the Sampling Intervals attribute) are used to calculate 
the moving average. 

# of 

Groups to 
Display 

Set the number of rows of results to display in the data monitor for each combination of 
ordering fields specified in the Group By parameter. 

Sampling 

Interval 

Enter the time interval for recalculating event statistics, in seconds. For example, if the 
Sampling Interval is 5 minutes, the moving average is calculated every 5 minutes. 
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Statistics Data Monitor, continued 


Parameter Description 

Group 

Discard 

Condition 

Enter a condition (a filtering expression) by which to remove certain result rows from 
consideration in statistical calculations, based on the result ordering set in the Group 

By attribute. 

See "Data Monitor Expressions" on page 986 for more information about the operators 
and functions supported in this and similar data monitor parameters that accept 
conditional expressions. 

Maximum 

Alarm 

Frequency 

Minimum time (in seconds) to wait before sending alarms for the same group. 


System Monitor Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246”. 

The System Data Monitor provides measurements based on Manager internal monitoring system Java 
classes and attributes. A number of system monitors that may be particularly useful to administrators 
are provided as predefined System Data Monitors that you can include in your dashboard displays to 
monitor system performance. 


System Monitor Data Monitor 


Parameter 

Description 

Data 

Monitor 

Name 

Type a data monitor name 

Enable 

Data 

Monitor 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Monitor 

Types 

From the drop-down menu, select the name of ArcSight Java class for which you want 
to display attribute measurements, for example, Throughput meter or Status 


System Monitor Attribute Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246”. 

The System Monitor Attributes Data Monitor is similar to System Monitor, except that, rather than 
providing measurements for all attributes of a specified Java class, focuses on a single specific 
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attribute of a given ArcSight Java class. (Used primarily for measurements on attributes that provide 
complex data structures.) A number of predefined system monitors are provided that you may want to 
include in your dashboard displays to monitor system performance. 


System Monitor Attribute Data Monitor 
Parameter Description 


Data 

Monitor 

Name 

Type a data monitor name. 

Enable 

Data 

Monitor 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Monitor 

Types 

From the drop-down menu, select the name of ArcSight Java class for which you want 
to display attribute measurements, for example, Throughput meter or Status. 

Attribute 

Name 

Specify the individual attribute of the specified ArcSight Java class for which you want 
to display information. You can obtain the names of specific attributes in a class by 
viewing the results of a System Monitor defined for that class. 


Top Value Counts Data Monitor 

The data monitor type is chosen when you create a new data monitor. For information on how to create 
a data monitor, see "Creating a Data Monitor" on page 246”. 

The Top Value Counts data monitor displays top events by selected data field, the total number of 
events, and the event Severity within the total number of events with the Table and BarChartTable 
viewer configurations. 

Top Value Counts uses an aggregation mechanism that precisely and predictably controls the time 
dimension of the data being evaluated. "Bucketized" means that the monitor evaluates a specific 
number of time-based event data units of a certain size (buckets). As time increments forward, the 
evaluation refreshes, using the most recent set of qualifying buckets. Data monitor buckets process 
live data. You should expect some delay ranging from milliseconds to seconds between the Manager’s 
receipt of the event and when the event is processed by the data monitor. The latest bucket may 
therefore not have counted ail the events up to the current millisecond. Eventually the count 
discrepancy is resolved and the bucket counts will be correct. 


Top Value Counts Data Monitor 


Parameter 

Description 

Data 

Monitor 

Name 

Enter a data monitor name. 
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Top Value Counts Data Monitor, continued 


Parameter 

Description 

Enable 

Data 

Monitor 

Select the check box to enable the data monitor and collect data from the Manager. If 
not selected, the associated viewer configuration will not display any data. 

Depending on the permissions associated with the user group to which you belong, you 
may or may not have an option to Enable ( deploy ) or disable (un-deploy) the data 
monitor. For more information, see "Enabling or Disabling a Data Monitor" on page 257. 

Restrict by 
Filter 

Specify a filter to focus on events that are of particular interest and to reduce the 
number of events the data monitor processes. Use a filter when the number of possible 
Aggregate Field values can exceed the maximum for# of Distinct Events. 

Availability 

Interval 

Sets the number of seconds to use as the interval between monitor updates. 

Select 

Field Set 

Specify a field set for use in data monitor drill-downs. 

When this data monitor is displayed, the user can double-click on a chart area or table 
row that represents an event to bring up a drill-down channel for that event. 

The field set specified here will determine the columns (fields) shown in the drill-down 
channel. (See "Inspecting Events in Dashboards" on page 239 for information on data 
monitor drill-downs.) 

Bucket 

Size in 

Seconds 

The time dimension for individual event data units. A number of these units make up the 
value used in Number of Buckets. For example, you might use a value of 300 to 
create five-minute buckets. Bucket size and frequency (increasing freshness and 
resolution) does have a performance cost so it is wise to set buckets to run only as 
small and fast as actually necessary. 

Number of 

Buckets 

The overall time dimension to evaluate, expressed as the appropriate number of 

Bucket Size units. For example, to evaluate the most recent hour using five-minute 
buckets, you would enter 12. Bucket size and frequency (increasing freshness and 
resolution) does have a performance cost so it is wise to set buckets to run only as 
small and fast as actually necessary. 

Time Field 

Choose the specific event timestamp to use to apply events to time buckets. 

#Top 

Entries 

The number of entries to show as "top" values. 
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Top Value Counts Data Monitor, continued 
Parameter Description 


# of 

Distinct 

Events 

This value must equal or exceed the maximum number of values that the Aggregate 
Field can possibly have. The default is 1,000. The maximum is 10,000. This value 
controls the upper limit on the number of aggregate field values. If it is smaller than 
necessary, then when it encounters one more Aggregate Field value than allowed, the 
Data Monitor resets all the counters, clears the data, and starts over at zero. 

If you specify more than one Aggregate Field, the maximum number of possibilities is 
the product of the possible values of all fields. For example, if you are aggregating by 
users and zones in an environment with 200 users and 15 zones, the number of 
possibilities is 200 x 15 = 3,000. If the number of possibilities is larger than the 
maximum of 10,000, use a filter to reduce them. 

Aggregate 

Field 

Specify one or more data fields to monitor. For more information, see "Data Fields" on 
page 885. To monitor the top 10 source IP addresses, for example, select the Source 
Address data field from the drop-down menu. If you specify more than one field, the 
total number of possible combinations is the product of the number of possible values 
for each field you specify. Make sure that the # of Distinct Events field is large enough 
to accommodate this number. 

Value 

Field 

Specify what the data monitor will use when determining the top value counts: the 
number of matching events, or the sum of a particular data field value in all matching 
events. 

• To count events, leave this field empty. (This is equivalent to selecting the 
Aggregated Event Count field. When the Value Field is not specified, the data 
monitor uses the data field specified in the Aggregate Field to count events.) 

• To sum the values from a particular data field, use the data field selector for the 
"Value Field" attribute to select the desired field. 

In either case, counts from aggregated events will be properly adjusted. 

Send Audit 

Events 

Specify generation of audit events for this data monitor. By default, audit events are not 
generated. Refer to 'Audit Events" on page 812 and look for the audit events under “Top 
Value Counts Data Monitor.” 


Data Monitor Expressions 

Certain data monitor parameters can specify their own conditional expressions with which to flexibly 
define triggers or results. For example, you use these expressions in the Statistics data monitor's 
Alarm Trigger Condition and Group Discard Condition parameters to evaluate when to send an alarm or 
to remove result rows from statistical calculations. 

The type of expression supported is a conventional infix mathematical expression with each basic 
expression separated by parentheses. 


HP ESM (6.9.1c) 


Page 986 of 1106 


ArcSight Console User's Guide 
Chapter 29: Reference Guide 


All common arithmetic operators are supported. Boolean operators are also fully supported and Boolean 
expressions evaluate as either 1 or 0 (true or false). 

Supported Data Monitor Expression Operators 


All common arithmetic operators are supported. Boolean operators are also fully supported and Boolean 
expressions evaluate as either 1 or 0 (true or false). 

Data Monitor Expression Operators 


Operator 

Symbol 

Operator 

Symbol 

Power 

A 

Less Than or Equal 

< = 

Boolean Not 

! 

More Than or Equal 

> = 

Unary Plus 

+x 

Less Than 

< 

Unary Minus 

-X 

Greater Than 

> 

Modulus 

% 

Not Equal 

!= 

Division 

/ 

Equal 

== 

Multiplication 

* 

Boolean And 

&& 

Addition 

+ 

Boolean Or 

II 

Subtraction 

- 




Supported Data Monitor Expression Functions 

Data Monitor Expression Functions 


Name 

Function 

Name 

Function 

Sine 

sin() 

Inverse Hyperbolic Cosine 

acosh() 

Cosine 

cos() 

Inverse Hyperbolic Tangent 

atanh() 

Tangent 

tan() 

Natural Logarithm 

ln() 

Arc Sine 

asin() 

Logarithm Base 10 

iog() 

Arc Cosine 

acos() 

Angle 

angle() 

Arc Tangent 

atan() 

Absolute Value / Magnitude 

abs() 

Hyperbolic Sine 

sinh() 

Random N umber (between 0 and 1 ) 

rand() 

Hyperbolic Cosine 

cosh() 

Modulus 

mod() 

Hyperbolic Tangent 

tanh() 

Square Root 

sqrt() 

Inverse Hyperbolic Sine 

asinhQ 

Sum 

sum() 
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Device 

See Assets" on page 797 for a discussion of network devices. 


Event Inspector 

The Event Inspector is a tool for examining event details (see "Events" on the next page and Event 
Categorization" on page 990 for information about events). The Event Inspector is located in the 
ArcSight Console's Inspect/Edit panel. To open the Event Inspector, double-click an event line in a grid 
view. See "Views" on page 1101. 

There are two panels in the Event Inspector. The top panel displays selected events with associated 
rules. The events listed here have a set of right-click menu commands similar to those described in 
"Using Active Channels" on page 228. The bottom panel displays event details for one or more events 
that have been selected from the top panel. If you select more than one event from the top panel, only 
their common values are displayed in the bottom panel. 

The Event Inspector can display the chain of events that trigger a rule (see Rules" on page 1029) and 
generate a correlation event. From the Event Inspector you can view each event and rule in the chain 
for details. 

Depending on the information available for an event, you may also be able to review its business 
significance in the Impact Analysis tab or its actual content in the Payload tab. 

Tip: Viewing global variables in the Event Inspector 

When you view events in an active channel and open an event that contains a global variable field 
in the Event Inspector, you may need to refresh the Event Inspector view to see the global variable 
fields, because the Manager processes global variable data differently from regular event data. 

• If your Hide Empty Rows icon is toggled on (so that empty rows are not displayed), you 
may not see global variable field in the event inspector. 

. To refresh the view, de-select, then re-select the Hide Empty Rows icon. 


See also: 'Inspecting and Editing" on page 48. 

Note: The overall set of event-attribute fields is defined in "Data Fields" on page 885, but you can 
make or use custom subsets with the Field Set Editor (see 'Field Sets" on page 991 ). Choose a 
set name to see only that predefined set of fields. 
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Events 

Events begin at network "Device"s that can sense and record instances of security-sensitive activity. 
Examples include a database record change, a syslog entry, a firewall transit, a router access, or 
scanning a door access card. 

Such initial events are typically recorded in logs, and are sometimes called base or raw events. 

When numerous source devices are reporting large volumes of relatively similar events, it is desirable 
to funnel these events through central event concentrators that forward a much-reduced set of 
representative or summary events. 

When these events reach ArcSight "SmartConnectors", several things can happen. 

• All received events are normalized (restructured) to make their information consistent and ready 
for analysis. 

• All received events are categorized (appended with classification information) using ArcSight's 
event categorization taxonomy. 

• If appropriate and the SmartConnector is configured to do so, events are aggregated to issue fewer 
and more meaningful events and to reduce network traffic. 

• If appropriate and the SmartConnector is configured to do so, selected events are filtered out, to 
eliminate them as a further traffic or processing burden. 

• For certain devices, the option may be available for the SmartConnector to apply analysis rules to 
incoming events and to issue correlation events concerning them. 

At SmartConnectors, filtering removes events from the system. Aggregation replaces events with 
fewer new ones bearing summary information. 

When the events from SmartConnectors pass to Managers they can again be considered base events 
in the sense that they are in a state prior to processing. More specifically, any event that is subject to 
further processing, even if the result of previous processing, can be considered a base event. 

All base events entering the Manager are subject to: 

• Correlation to derive more intelligence from the events. Correlation adds new events containing 
the results of correlation activity. You apply correlation through the rules and data monitors in their 
respective resource trees of the Navigator panel. Correlation events have flash icons in grid views. 

• Filtering to selectively see and report on events. Filtering within the Manager does not actually 
discard events. You apply filtering with the resources in the Filters tree in the Navigator panel. 

Note that all aggregation actually occurs at SmartConnectors, not within the Manager. You apply 
aggregation through the resources in the "Rules" tree of the Navigator panel. 

There are only base, aggregation, and correlation "Events". It is important to note that any such 
event in the system can (if the right rules and data monitors are present) become the input to produce 
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new correlation events. You should also note that the Manager's rules engine is designed to prevent 
infinite loops. 

Apart from the events that originate on the network, and the correlation events the Manager issues in 
response to them, the Manager generates many other events of its own fora variety of purposes. 

These internal events can be divided into "Audit Events" and 'Status Monitor Events". You can use 
audit events to track, or react to, system activity at all levels of operation from data monitors to the 
database. Status monitor events are valuable forgetting system state information. Review these 
topics on Audit Events and Status Monitor Events to become familiar with the characteristics of all the 
available events. 

You can apply all analytic tools to any events present, whether base or correlation, originating 
externally or internally. 


Event Categorization 

Events from unsupported or custom devices can generate events that the provided connectors do not 
know how to categorize. For example, if your organization has developed and deployed ArcSight 
FlexConnectors to collect and process events specific to customized network nodes, these custom 
events are not categorized per the usual method. 

From the ArcSight Console, you can manually apply categorization to one or more custom events from 
a FlexConnector (or other custom or unsupported device). Once you apply categorization to events 
from a particular device (and its associated connector), the categorization is automatically applied to 
other events of the same type. 

To apply event categorization to one or more events: 

1 . Select one or more of the same type of events that you want to categorize. 

2. Select one or more events and choose the Categorize Event command from the System menu 
(or click the 1^1 toolbar button). 

3. Select values from the given categories from the drop-down menus. 

4. Click OK to apply the categorization information to events of this type. 

This generates a SmartConnector update file ( . aup) containing the new categorization files on the 
Manager. The Manager polls for new SmartConnector update files every 5 minutes, and updates the 
SmartConnectors when it finds new .aup files. So, within 5 to 20 minutes after you apply event 
categorization, new events of the same type are categorized in the same way. 

Note that if a certain type of event is already categorized, this custom categorization has no effect. 
Otherwise, the custom categorizations take effect on all events of the same type going forward. 


Event Handling Stages 

Events coming into ESM go through the following stages: 
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1 . Pre-persistence stage 

2. Persistence stage 

3. Post-persistence stage 

Pre-Persistence Stage 

At this stage, raw events arrive from SmartConnectors. ESM evaluates these events against the 
Priority Formula and enriches the events with Asset and Network Model information. Pre-persistence 
rules look for matching events at this stage; and, if found, generate correlation events. 

See "Priority Calculations and Ratings" on page 1010 for information about the priority formula, for 
information about asset and network models, and "Rule Types" on page 494 for information about pre- 
persistence rules. 

Persistence Stage 

The events are kept in active memory and accessed by live active channels. The filter associated with 
an active channel is applied to narrow down the events to be displayed on that channel. At this stage, 
the prioritized, enriched events and correlation events are persisted in the database. 

Post Persistence Stage 

The rule engine triggers rule actions at the beginning of this stage. The events do not change at this 
stage, and are therefore removed from active memory since their copies are saved in the database. 
Queries, query viewers, and reports get their data from the database. 


Field Sets 

Field sets are named subsets chosen from the available "Data Fields". Field sets can help you quickly 
focus a grid view, Event Inspector, or other field array on a particular context such as customer 
accounts or vulnerability. 

Field sets are a shareable resource that you can manage and apply through the Field Sets resource tree 
in the Active Channels section of the Navigator panel. (In the Navigator, choose Active Channels, and 
click the Field Sets tab.) These field sets also support the "Variables" data fields. Field sets supercede 
and include the previous concept of column sets. 

There is a default list of field sets for out-of-the-box use, and to serve as examples. 

See "Creating and Using Field Sets" on page 546 (in "Monitoring Events" on page 210) for information 
on how to create custom field sets, modify existing ones, and share them with other Manager 
administrators or operators. 

See 'Sortable Field Sets" on page 1047 for information on creating and using sortable field sets. 

See 'Using Field Sets" on page 876 for information on how to access field sets to build conditions. 
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Filters 

Use filters to specify criteria that narrows the scope of monitored data and reduces the number, or 
constrains the nature, of the events displayed through the ArcSight Console. Filtering criteria are based 
on the Console's event "Data Fields", used in various combinations and with various conditions placed 
on their content. As you apply more restrictive filter parameters, the number of events reaching the 
Console may decrease, but the likelihood increases that the events are significant. 

For example, you can create a filter that contains every firewall for the western region of the United 
States, and create another filter that contains every Intrusion Detection System (IDS)forthe same 
region. You can also be more specific, by creating a filter wherein you only want to view firewalls and 
IDSs with certain IP addresses because they are labeled as suspicious IP's or IP's that may pose a 
possible threat to an enterprise. On the other hand, you can create filters that only contain networks 
that are labeled as friendly and seem to pose no threat at all, but you still want to monitor them. For 
display purposes, you can select a unique color for any filter. If an event matching the filter's conditions 
is generated, the event appears in the grid view in the specified color. 

Applying filters to get optimum results is a core skill for network security analysis. While it isn't 
possible to anticipate specific solutions here, you should know the most efficient way to use the 
ArcSight Console's filtering tools. 


Filtering Options 

In the ArcSight Console, filtering is available in multiple ways, and how you choose to use these 
options can have a significant effect on your ability to precisely, flexibly, and rapidly author new 
analyses over the long term. 

The primary event-filtering options are: 

• Filters resources: The Navigator panel's Filters resource tree is (or should be) your master 
repository for filtering solutions. Using the Filters tree is the best way to work out an organized filter 
library. You can and should use the filters you develop here, through the Filters Editor, in other 
resources such as active channel views, reports, or rules. You can even use filter resources in other 
filter resources. By basing your solutions on hierarchical, resource-based filters, you gain the type 
of leverage granted by style sheets. 

• Active Channels resources: The active channel resources in the Navigator panel can each store 
an individual filtering solution that is unique to a given channel or based on a Filters resource. When 
you use an existing active channel to create another, you carry forward and perhaps modify its filter. 

• Active Channel Editor: You use the Active Channel Editor to create or modify the filters in 
individual active channels. Changes you make to active channels through this editor are limited to 
those channels and channels created from them. Such changes shouldn't be considered long-term 
or enterprise-wide. 

• Inline view filters: In any active channel grid view you can use the fields of the grid's top line to 
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select filtering event-attribute values for certain columns, which will be used with implied AND 
operators to impose ad hoc filters. These filters are not retained with the prior active channel, but 
you can give the revised channel a name and save it through the Active Channel Editor. 

• Event-based filters: Another quickly applied and contextual category of event filtering is offered by 
the event-attribute Investigate command. When you right-click an event attribute in a grid view you 
can choose Investigate and one of several filtering options that vary based on the data involved. 
Like inline filters, Investigate filters apply only to the current view and are temporary unless saved 
in a different named view. 

• Inline Filters: You can add an inline filter to a channel view by clicking the Edit Inline Filter ) 
button at the top right of the grid view to display the inline filtering fields. (For more information see, 

"Filtering Active Channels with Inline Filters " on page 234.) 

You should always remember that your most primary filter is the one imposed by your system 
administrator. Each user operates under the constraints of the access control lists (ACLs) configured 
for their user identity. These ACLs automatically filter out some portion of the total available event flow 
before it reaches you. Any filter you use or create adds to this fundamental constraint. 

For more about putting filters to work, see Filtering Events" on page 286. 


Global Variables 

You can create variables that derive unique values from existing data fields, which you can apply 
locally in the resource you’re working on to make monitoring and correlation more specific to particular 
scenarios. 

In addition to these local variables, there is a global variable resource, which makes it possible to define 
a variable once, then re-use it in multiple places wherever conditions can be expressed (active 
channels, rules, filters, data monitors, and queries), and wherever fields can be selected (CCE, field 
sets). 

Global variables are centralized and reusable, which make them an essential building block for user 
correlation in the Actors feature, and other advanced correlation scenarios. 

Once created, global variables appear in the "Common Conditions Editor (CCE)" as additional fields on 
the Filters or Conditions tabs, as Group By arguments for data monitors and queries, and in rule 
conditions and actions. You can add variables to field sets in the Field Set Editor to extend the event 
and resource schema with values derived from other data fields. 

The global variables feature also makes it possible to easily promote local variables defined for a 
particular resource into a global variable, where it can be re-used in other condition statements. 

For details about using the Global Variables feature, see Global Variables". 
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Grid View 

A grid view is a type of view in the ArcSight Console that shows events summary information 
organized in rows and columns, or other types of information such as for certain "Resources". As new 
events occur, they are inserted at the top of the grid as new rows. Rows contain events while columns 
contain data fields. You can learn about working with grids in "Using Active Channels" on page 228. 


i Defense 

If your ArcSight system is integrated with a VeriSign iDefense database, you can view Defense 
incident reports forevents that have vulnerabilities associated with them. 

To view iDefense information for an event: 

Select an event in a channel, right-click, and choose Show Event Details. 

If there is iDefense information available for the selected event, the iDefense tab will be enabled. Click 
the iDefense tab, then choose an incident report from the View details for IR menu at the top right of 
the iDefense sub-tab. The reports are displayed on the iDefense tab. 
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This option is available only if you have the third party IDefense software 
installed and configured to interact with the Arcsight ESM, and if the selected 
event has a vulnerability ID associated with it. In that case, an iDefense tab is 
available as a sub-tab under the Details tab for the selected event. The 
~ IDefense reports provide more details on the vulnerability. 



Typically, multiple incident reports are available for a selected event. To view a 
report, choose a report name from the View details for IR drop-down menu. 


Inspect/Edit Panel 

Located on the right side of the "ArcSight Console" on page 797, the Inspect/Edit panel contains all the 
various Resources" editors you use to create and modify analytic tools, as well as the Event Inspector 
you use to examine the contents of events. Using the Event Inspector and the resource editors is 
explained in the topics that relate to events and those resources. 

See "Events" on page 989 and "Event Categorization" on page 990 for additional information about 
events. 
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Job Scheduler 

You can schedule some tasks to occur automatically. Specifically, this feature is available for archiving 
and scheduling reports, Pattern Discovery snapshots, and rules. See these topics for information 
specific to scheduling jobs for particular resources: 

• "Scheduling Report Tasks" on page 463 for information on how to schedule reports individually or by 
group 

• "Scheduling Rules" on page 539 

• "Scheduling a Snapshot " on page 727 

This topic provides general information on how to schedule a job for any resource and view all 
scheduled jobs. 

To schedule a job: 

1 . Click the Jobs tab in the Editor for a group. 

2. Click Add on the Jobs tab. 

This opens the Job Frequency dialog. 

3. Define the schedule frequency and range of the job (start and end dates, or indefinite). 
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4. Click OK to save the task and close the dialog. 


Double-dick to modify the default job name and description, or 

^ dick Add to add a new scheduled job. 

. Click the Hourly link in the Summary to bring up the Job 
Frequency dialog where you define the schedule frequency and 
range of the Job (start/end dates). The rule schedule can have an 
end date or be defined to run indefinitely. 


Attributes Jobs Notes 
s — QcQaAdd X Remove O Frequency 
Jobs 


Badge Entry and Logins 


Inspect/Edit 


Event Inspector 


E3 Group: Scheduled Badge Entry an. . . 


Description 


Look for matching event card swipe an. . . 


Next Run Time 7 Nov 2006 1 1:35:00 PST 

Job Parameters 

Name Value 

Q Batched Rule Engine Parameter 

# Filter results by All Events 


Summary 


0 


Occurs Hourly . 

Schedule will start on 6 Hov 2006 16:35:20 PST. 


[ OK ] [ Cancel ] [ Apply | [ Help 
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To view all scheduled jobs 

Click the Open scheduled jobs list tool button. The scheduled tasks are listed in the Viewer panel 
under "Current Jobs". 

Click a job in the list. The status of previous and pending runs for that job are shown in the "Scheduled 
Runs for <Taskname>" list on the bottom part of the Viewer panel. 


Troubleshooting Tips 

If the Manager system clock time is changed after jobs are scheduled, some scheduled jobs might 
might be kept in pending status temporarily, and/or synch back up on subsequent scheduled run times. 
It is best not to make dramatic adjustments to the system clock on a Manager on which critical jobs are 
already scheduled. If this problem occurs and does not correct itself soon enough, stop the Manager 
and re-set the system clock to the original date/time, or re-schedule the jobs. 


Knowledge Base 

The Knowledge Base is a problem-solving database that can contain information on event data, 
associated if-then-else rules, cases, and so forth. All information is derived from community expertise 
within your enterprise or based on your internal practices and policies. 

Compare Knowledge Base articles to "Reference Pages", which provide built-in reference information 
about certain resources. 

When you create a Knowledge Base article, you provide a URL or directory path to a specific 
vulnerability or exposure. You can add notes to Knowledge Base articles to relay information about the 
article. Using a note, you can write reminders, messages to the next shift, or any related information. 
Articles are displayed in the ArcSight Console, with associated links and article information. 
Knowledge Base articles are stored in these default groups: 

• Shared: lists Knowledge Base groups and articles to which the logged-in user has access. 

■ All Knowledge Base: lists all user Knowledge Base groups and articles. 

■ Personal Knowledge Base: lists each user's own Knowledge Base groups and articles. 

■ Public Knowledge Base: lists Knowledge Base groups and articles accessible to all users. 

■ Unassigned: lists Knowledge Base articles that do not belong to a group. 
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Logical Operators 

This table describes the logical operators you can use in condition statements. Certain operators don't 
appear in circumstances where they are not applicable. 

Logical Operators for Conditional Statements 


Logical 

Operator 

!= 

Description 

Equals 

Use this operator when the entire string is known, such as for an event Name or 
Username. 

Not equals 

Use this operator to exclude one or more known values, such as events involving a 
specific network domain or user. 

< 

Less than 

< = 

Less than or equal to 

> = 

Greater than or equal to 

> 

Greater than 

Between 

Event occurs within the specified date-time bracket 

BitAnd 

Equals, for bitmap fields 

Contains 

Contains the specified substring 

Use this operator to exclude a large set of events, such as all events whose name 
contains "virus." 

Use this operator with caution as it is relatively slow and prone to matching more 
events than you intended. 

ContainsBits 

Returns true or false. 

The ContainsBits operator applies to event fields that are bit vector data types, that 
is, fields that combine a set of independent Boolean flags. The right side value is a 
list of applicable named flags. The operator evaluates to True if the value of the 
selected flag is set for the event. For example, 

Event Annotation Flags ContainsBits "correlated; inCase” 

returns true if both of the annotation flags Correlated and inCase are set for the 
event being investigated. 
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Logical Operators for Conditional Statements, continued 


Logical 

Operator 

Description 

ContainsList 

Compares one list to another to see if the second list is a subset of the first. 

For example, (a, b, c) ContainsList (a, b). 

ContainsValue 

Returns true of false 

Use this operator where the left-hand-side operand is a list of some data type, and 
the right-hand side operand is a single value (field or literal) of the same data type. 

For example, a variable IPList is a list of IP Addresses obtained from a multi- 
mapped active list, with values {192.0.2.0, 192.0.2.1, 192.0.2.2}. You then use 
ContainsValue in the following conditional statements: 

IPList ContainsValue TargetAddress 

This condition returns true or false depending on whether TargetAddress value is 
contained in IPList. 

IPList ContainsValue 192.0.2.0 

This condition returns true because the right-hand side value is contained in IPList. 

IPList ContainsValue 192.0.2.24 

This condition returns false because the right-hand side value is not contained in 
IPList. 

You can use ContainsValue in both queries and in-memory resources. 

EndsWith 

Ends with specified substring Use this operator for domain names. For example, 
you might want to match events involving the .mil domain. 

EqualsList 

Compares one list to another (for example, active list, session list). If the two lists 
have the same entries, the statement evaluates to “true”. 

For example, (a, b, c) EqualsList (a, b, c). 

In 

Standard SQL operator for membership test 

InActiveList 

Event appears in the specified active list. InActiveList operates on items in the 
event and actor schemas. It does not evaluate items in other non-event schemas 
(such as cases or assets). 

For example, (a, b, c) InActiveList (a, b, c, d). 

Note: The InActiveList operator only evaluates single-value attributes, and treats 
multi-value attributes, such as Actor Account ID and Role, as single-value 
attributes. 

InGroup 

Tests for membership in a specified category. 

InList 

Determines whether a given item is in a list and, if so, evaluates to “true”. 
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Logical Operators for Conditional Statements, continued 


Logical 

Operator 

Description 

InSubnet 

For IP addresses in the specified subnet 

Is 

Tests “true” for the selected state, nullornot-null 

Use this operator to test whether or not a value has been supplied. You would use 
this in rules to tell the difference between a string that does not match versus a 
string that was not supplied. For example, you could use this to find all events that 
were missing their event names. 

Intersects List 

Compares one list to another. If the two lists have one or more entry in common, 
the statement evaluates to “true”. 

For example, (a, b, c) IntersectsList (b). 

Like 

Standard SQL operator for simple pattern matching for string type: wildcard for 
single character; "%" wildcard for multiple characters 

Matches 

For extended regular expression pattern-matching for string types using Perl 5 
syntax Supports regular expressions (regex). 

Note that Matches is used in rules only. 

On 

Event occurs on this date 

StartsWith 

Starts with specified substring 

Use this operator for testing URIs such as event categories or resource locations 
(for example, Customer or Connector locations in their respective Navigator trees), 
or to test the root of a hostname (for example, if your web servers are named 
WebServerl , WebServer2, and so forth, you could use "hostname startsWith 
Webserver"). 


Managed Security Service Providers (MSSPs) 

Managed Security Service Providers (MSSP) can use slicing and dicing query-trend approaches to 
create focused reports for multiple customers built from what are initially broad range queries. 

Manager 

The Manager is the component that manages, cross-correlates, filters, and processes all security- 
event occurrences in your enterprise. The Manager includes CORR-Engine, a Cross-Correlation 
Engine, Connector Data Manager, tracking and resolution functions, and analytics and reporting 
capabilities. 


HP ESM (6.9.1c) 


Page 1001 of 1106 


ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Navigator Panel 

Located on the left side of the ArcSight Console, the Navigator panel contains all the trees you use to 
organize analytic and operational "Resources", tools, and targets. These resources come in many 
types, such as active lists, connectors, rules, and users, all of which are summarized in the topic 

"Navigating" on page 40. 


Notifications 

"Notifications" usually refers to the event-related messages sent to e-mail addresses or cell phones. 

Sending notifications is one among several rule actions that can be performed when a rule is triggered 
(See "Rules" on page 1029). When you create a rule and add a Send To Notifier action, you will be able 
to select the notification group that will receive the message. For more information on rule actions, see 

"Managing Rule Actions" on page 515. 

The key entities in the notification structure are Notification Groups, Escalation Levels, and 
Destinations. 


Notification Operation 

When a rule that has a notification action triggers, the notification engine notifies all active destinations 
in the first escalation level within that group. The notification engine then waits for a certain time period 
to receive an acknowledgment to that notification. 

You can acknowledge notifications by any one of these methods: 

• Reply to the e-mail or cell phone message 

• Click the Notifications button (^) in the Console's toolbar to use the Notifications Manager in the 
Viewer panel. (See "Managing Received Notifications" on page 203.) 

The length of time that the notification engine waits for acknowledgment depends on the event severity, 
and can be configured through the context (right-click) menu's Wait Time setting. 

If no acknowledgment is received within the specified time interval, the same notification is escalated 
to the next level within the group. 

This process repeats until there are no more escalation levels or the notification is acknowledged by 
any of the recipients. The one exception to this procedure is the escalation procedure carried out for 
informative notifications (the Informative option was set while defining the notification action in the 
rules editor). In this case, notifications are only sent to the first escalation level in the group and do not 
require acknowledgment. 

SMTP is used to send e-mail. An SMTP server must be configured either at install time or through 
Context (right-click) menu e-mail settings. For notifications, the relevant fields are "from address", 
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which designates the e-mail address of notification e-mail sent from the system, and the "outgoing e- 
mail server," which is the SMTP server used to send e-mail. It is important to ensure that the "from 
address" specified is one that will not be rejected by the SMTP server, since some SMTP servers will 
reject unknown e-mail addresses. 

POP3 and IMAP can be used to check for e-mail acknowledgments. You can specify these options at 
install time, or through Context (right-click) menu e-mail option settings. For acknowledgements, the 
relevant fields are "incoming mail server," which is the POP/IMAP server to specify to check e-mail, 
"incoming mail protocol," which is either POP3 or IMAP, "account" and "password," which are the login 
name and password to access the mailbox from the incoming mail server. Note that replying to mails 
from the notification "from address" should reach the mailbox accessible to the "account" login. 

Notification Groups are the point of interface between the rules engine that specifies the notification 
action and the notification engine that sends out the notification. Within each notification group, there 
can be any number of escalation levels. Each escalation level can contain multiple destinations. 

The following groups can help you manage and organize groups and destinations. 


Notification Groups and Destinations 


Destination 

Group 

Purpose 

Shared 

Notification groups and destinations to which logged-in users have permission. 

All 

Destinations 

All groups and notification destinations (only Administrators have permissions to this 
group). Administrators who have inspect and edit permission on the All Destinations 
group also have permission to change notification settings. 


Testing Notification Escalations 

Escalation procedures are tested by generating an internal Low Severity event. This event triggers the 
escalation within the group tested as though a real Low Severity event occurred. Notifications are 
immediately sent to all destinations within the 1st level (1). If 1st level destinations do not respond to 
the notifications within the set wait time for Low Severity events (default is 2 hours), the test 
notification escalates to the 2nd level (2), and so on. 


Notification Destinations 

Notifications are sent to destinations. Notification destinations may optionally be associated with a 
user, and when that is done, destination information, such as e-mail address or cell phone, is 
automatically populated from the user's profile. You can also change the user's destination information 
without changing the user's profile. 

Each destination can be an e-mail or cell phone contact and have an associated start and end time, 
which is the time period during the day when the destination is expected to be active. Each destination 
can also be optionally associated with a user. When the destination receives a notification and the user 
is logged into an ArcSight Console, the user is notified through the notification status button on their 
display. 
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Notification destinations can be managed with drag and drop functionality. You can move or copy 
notification destinations into escalation levels within the same or other notification groups from the 
Administration window. If a group is deleted, the destinations within that group are also deleted. 

Note: To copy multiple resources at once, use Copy and Paste. You can drag and drop only one 
resource at a time. 


Notification Acknowledgements 

Once you receive a notification, it is important that you acknowledge it within the allotted time window, 
to prevent automatic escalation to the next-level notification destination. Immediately acknowledging 
and resolving significant events is crucial to securing any enterprise. Use the Console's Notifications 
Manager to check status and help resolve issues. See also "Managing Received Notifications" on 
page 203. 


Packages 

A Package is a resource that contains a set of related resources. A package of resources can be 
installed or unloaded as a unit. ArcSight Solutions are delivered as packages, but you can create your 
own packages, as well. 

A Bundle is a file (with extension . arb) that contains one or more packages. You can import and 
export bundles and install and uninstall the packages that the bundles contain. When you import a 
bundle, the source file is saved as a file resource (see Managing File Resources" on page 671). You 
can view the original package contents (the package archive) or the current package contents at any 
time. 

An uninstalled package is a package that has been imported or created, but not yet installed in the 
system resource tree (see "Resources" on page 1024). Packages that have been installed can also be 
manually uninstalled. The default behavior is to install the package when it is imported. 

When a package is deleted, the resources it contains can be left in the system resource tree or they 
can be deleted along with their package. 

Packages can have dependencies on other packages or on features such as Pattern Discovery. Two 
ArcSight Solution packages may share a third package in common, for example. 

See also "Managing Packages" on page 693. 


Pattern Discovery 

ArcSight's Pattern Discovery can detect subtle, specialized, or long-term patterns that might otherwise 
go undiscovered in the flow of events. This topic discusses pattern concepts. See "Pattern Discovery" 
on page 710. 
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A pattern is a distinct, repeating network transaction (event) that is uniquely identified by its source and 
target IP addresses. Patterns are further qualified by the involvement of selected attributes such as 
event names or categories. There are, of course, many such patterns and most are normal or benign. 
The point is to establish and mask out normal traffic in order to let new or atypical traffic stand out. 
Separating "signal from noise" in this way makes possible very early (day zero) detection and very 
subtle (low and slow) detection. Once detected, such traffic can be analyzed or responded to. 

Pattern Discovery uses a profile to specify potentially qualifying events on the basis of attributes and 
time spans. When you apply a profile, manually or on a schedule, it captures a snapshot of the events 
that did qualify, on the basis of raw associations. The contents of snapshots are then reviewed by an 
analyst to identify event patterns to explore in pattern views or the Pattern Inspector. 

You define profiles in the Profile Editor in the Inspect/Edit panel. You manage your profiles, snapshots, 
and discovered patterns through the Profiles, Snapshots, and Patterns tabs of the Navigator panel's 
Patterns resource tree. 

You use the Viewer panel to observe the graphical results of executed snapshots and the patterns 
those snapshots discover. 


Pattern Concepts 

A pattern can be any recurring relationship between one or more pairs of source and target IP 
addresses, that you deem to be significant in relation to certain event attributes. You can regard the 
patterns you discover as benign or hostile, depending on your policies and postures. 

Event-pattern profiles are also constrained by Start and End time limits, filters, and by minimum 
numbers of associated events (pattern length) and times discovered (occurrences, or pattern support). 

Once captured in snapshots, you can examine the event data as raw association information in 
graphical snapshots, or as graphical patterns in the Patterns tab of the Patterns resource tree. 

Each box in a pattern view represents one pattern. The line items in the box are the individual events 
that were discovered to have associations. Each event component of a pattern (box) relates to the 
chain of links from which the pattern was derived, in the visual snapshot. 

A snapshot view is a graphic hierarchy of related event nodes. The "support" value for each node is the 
number of times that event occurred in conjunction with its related events. This overall hierarchy is a 
raw presentation of the events, useful for analysts but not meaningful to operators. 

The discovered events all share the attributes specified in the profile. The pattern-discovery process 
first tests forequality in the values found for the specified attributes. Secondarily, it tests fora selected 
transaction scheme. When the specified minimum number of event relationships reoccur, a pattern 
exists. 


Discovering Patterns 

Patterns are identified by first dividing the event stream into multiple transactions. For example, all of 
the events with a given source and target IP address may constitute a transaction - they represent all 
the traffic flowing from that source to that target. It may also be helpful to cluster transactions into 


HP ESM (6.9.1c) 


Page 1005 of 1106 



ArcSight Console User's Guide 
Chapter 29: Reference Guide 


super-transactions to identify patterns that involve cascading exploits toward multiple devices (that is, 
device A attacks device B which, in turn, attacks device C). 

The events occurring in each transaction are then characterized using a subset of the event fields (for 
example, the event name or the event category). 

Finally, events that frequently occur together in multiple transactions are identified and grouped 
together. These events are further sub-grouped by support level. For instance, events A and B may 
occur together 2,000 times while events C and D occur in the same transactions but only 10 times. 
Pattern Discovery would create two patterns in this case: one for A and B and a second one for C and 
D. To give another example, events F, G, and H may occur together in the same transactions 100 
times while F and G occur without H in 5 additional transactions. All of these occurrences would be 
rolled together into the same pattern. F and G would have a support of 105 while H would have a 
support of 100. 


Pattern Analysis 

Pattern analysis, overall, falls into two basic phases: initial collection, identification, and sorting, and 
on-going routine processing. 

Initial Phase 

To accomplish phase one, you generally use broader profiles and more frequent snapshots in an 
attempt to capture examples of all the patterns that appear in your networks. 

Once collected, there is a period of initial analysis in which you identify the patterns that are normal or 
benign. Making these evaluations requires in-depth knowledge and familiarity with the traffic in your 
enterprise, as well as using the analysis tools. There is no set procedure for this basic collecting and 
sorting process. 

However, the best method for moving officially "uninteresting" patterns out of the analysis workflow is 
to use annotation. While it is possible to use filters for this purpose, it is more reliable to move patterns 
by annotation to a stage such as Closed because this assures that the pattern has actually been 
inspected and classified. 

Routine Pattern Processing 

In an environment where the routine event patterns are mostly known and appropriately classified, you 
focus on the new and as-yet unclassified. 

The basic approach to routine pattern analysis consists of two phases: managerial (or triage or 
workflow initiation), and analysis. 

Workflow Management 

As Pattern Discovery turns up new or unclassified patterns, a designated user needs to review them 
and start them through the workflow. 
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Newly discovered patterns are handled by using the Annotations feature to assign them to a stage such 
as Follow-up, or simply Closed, and optionally to a particular user. 

Specific procedures and decisions, of course, depend on the internal processes of your enterprise and 
the patterns encountered. 

Pattern Analysis 

As an analyst dealing with day-to-day pattern discoveries, your basic process can be as follows. 

Using the appropriate filters, view the patterns that are new and assigned to you in the Pattern 
Inspector. 

Review these patterns in the Pattern Inspector and compare their transactions historically to those 
found in other snapshots, using the Snapshot menu. 

Use the Show Related Events feature to gain more intelligence about the sources and targets that 
appear in the patterns. 

Remember that events in a grid view are subject to all the ordering, graphing, filtering, reporting, and 
inspection tools available in the Viewer panel. 

Visualize the source and target relationships using Show Event Graph. 

Pattern Disposition 

Acting on reviewed patterns can include: 

• Assigning a new stage or user 

The pattern may need further analysis or some other handling, by another user, or can simply be 
closed. Use the Annotate Pattern command to make this disposition. 

• Creating a rule 

If a pattern represents activity that needs to reported, monitored, evaluated, or otherwise acted 
upon automatically, use the Create Rule command to build a rule based on the pattern's items. 


Note: Remember to express an appropriate Time Frame value in the Aggregation tab of the 
Rules Editor. The scope of a rule's time frame is critical to its effectiveness. 


• Deploying a rule 

Once created, if a rule is of value to the enterprise, you should copy or move it to the 
Rules/Shared/All Rules/Real-time Rules group in the Navigator panel's Rules resource tree. 


Pattern Discovery Expertise 

On a work-a-day basis, the following points will help you make the best use of Pattern Discovery. 
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Workflow 

Pattern Discovery analysis may also be scheduled. For example, once per hour the prior hour may be 
analyzed using three different profiles. The patterns discovered by each profile will be stored in a 
designated group in the Patterns resource tree. 

Each pattern also has certain annotation features associated with it that will be familiar to users of 
trouble-ticket systems. Each pattern can be flagged as being at a given stage (for example, Queued, 
Acknowledged, Under Investigation, Under Observation, Normal Activity, and so forth). Patterns may 
also be assigned to an user for further investigation. 

Initially, many new patterns will be observed and will need to be characterized. Does the pattern 
represent a threat or is it a result of normal activity on the network? Should a rule be generated? Or is 
more observation of the pattern required in order to understand it? 

Overtime, only a few new patterns will be observed each day. These will be delivered in the Queued 
stage. In the simplest workflow, the operator must resolve these patterns or assign these patterns to 
others for resolution each day. 

When patterns are observed again, you can set it up to either quietly mark the pattern as observed 
again or to bring the pattern to the attention of the operator. 

Visualization 

Event graphs have a clustering ability that makes them very useful when illustrating the interactions 
represented by a pattern resource. 

Suppose events F, G, and H occur together in the same transactions 100 times while F and G occur in 
5 additional transactions. All these occurrences would be rolled together into the same pattern. The 
event graph would cluster the 100 sources where F, G, and H occur together. It would also cluster the 
sources where only F and G occurred. 

To use a somewhat more concrete example, one cluster might represent a Nimda Worm's attempts to 
infect IIS installations. The second cluster might represent successful infections. 

Applications 

Pattern Discovery can be used to characterize the traffic on newly protected networks (for example, 
new customers for MSSPs, new divisions for large corporations, and so forth). It can also characterize 
traffic from new sensors. 

Pattern Discovery is also a key element in the ongoing operation of an installation. Using periodic, 
scheduled analysis, operators can always be kept up to date as new event patterns appear. Frequently, 
these patterns will indicate new worm or exploit behavior. 
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Payload 

"Payload" refers to the information carried in the body of an event network packet, as distinct from 
the packet's “headed data. (See "Events" on page 989.) While security event detection and analysis 
usually centers on header data, packet payload (S) may also be significant for historical analysis 
purposes. 

Typically, devices discard payloads after a certain period of time. As described in "Working with Event 
Payloads" on page 282, you can retrieve, preserve, view, or discard payloads using the ’ArcSight 
Console". Since event payloads are relatively large, they are not stored by default. Instead, you can 
request payloads from devices, for selected events, through the ArcSight Console. If the payload is still 
held on the device, the SmartConnector retrieves it and sends it to the Console. (See 
"SmartConnectors" on page 1044.) 

Payloads are downloaded and stored only on demand. Whether an event has a payload to store is 
visible in event grids. Unless you specifically request to do so, only the event's "payload ID" 
(information required to retrieve the payload from the event source) is stored. Payload retention periods 
are controlled by the configuration of each source device. 

A payload that has already been downloaded and stored in the database can either be manually 
selected and deleted, or removed based upon the event-retention policy. 

If the payload's format is not recognized by the database, its data will not be lost; instead it appears 
"unparsed" in the event. The event name attribute generally contains the complete data in this case. 


Prioritization Fields 

Events include fields whose values help you evaluate each event's overall priority and importance, and 
determine which events you should investigate first. The prioritization field values take into account a 
number of factors including: 

• Vulnerability of the Target Asset 

• Active List Contents 

• Open Ports on the Target Asset 

• Asset Criticality 
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Event Prioritization Fields 


Data Field Description 

Model 

Confidence 

Is the target asset modeled and if so, to what degree? This factor depicts the 
confidence we have in our model. This value depends heavily on whether target assets 
of interest are modeled in the system. 

If the only data point for an asset is its ID, then it is likely that this is either an asset 
range, or an asset that was modeled manually. The fact that the target asset is in the 
system at all provides some degree of model confidence. Model confidence is higher, 
though, if the target asset has been scanned for open ports and vulnerabilities. 

Asset 

Criticality 

How important is the Asset? This factor encompasses the criticality of the attacked 
asset. 

Relevance 

Does it appear probable that the attack succeeded? This factor performs an open port 
correlation (check to see if the target port is open) and vulnerability correlation (check 
to see if one of the exploited vulnerabilities is exposed). 

Severity 

How serious is this attack? This factor encompasses the severity of the event 
(ArcSight Severity), the severity of the exploited vulnerability (how much it is 
exposed), any user-supplied filter weighting, and the presence of the Source IP 

Address in various compromised and hostile active lists. 

Priority 

Should this event be investigated right away or not? This value is calculated by a 
formula that considers the values of the previous fourfields, as described in the next 
topic. 


Priority Calculations and Ratings 

The priority formula, formerly referred to as the Threat Level Formula, is a series of five criteria that 
each event is evaluated against to determine its relative importance, or urgency, to your network. This 
topic describes the calculations used to determine an event’s priority rating ("Priority Rating" on 
page 1015). 

Priority evaluation is applied to all the events that the Manager receives from SmartConnectors. The 
event's priority lets security operations personnel know whether this is an event that warrants further 
notice. The priority value assigned to an event is essentially the severity the event was assigned by the 
original reporting SmartConnector, as modified by the weighting schemes model confidence, 
relevance, severity, and asset criticality. Each of these four criteria described in the table below 
contributes a numeric value to the priority formula. 

Each of the four factors evaluates to a value in the range of 0 to 10, where 0 is low and 10 is high. The 
values have a specific positive or negative influence (weight) on the original SmartConnector severity 
value. See "Prioritization Fields" on the previous page for definitions of these factors. 

The priority formula consists of 4 factors that combine to generate an overall priority rating. Each of the 
criteria described in "Factors Contributing to Priority Evaluations" contributes a numeric value to the 
priority formula, which calculates the overall importance, or urgency, of an individual event. 
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All values fall in the range between 0 and 10. A high priority factor generally indicates an event with a 
higher risk factor. Not every high priority event is necessarily a threat, however. For example, if a 
critical e-mail server fails, the priority of the events reporting it may be very high, although it does not 
necessarily represent a threat to your network. 

The following table describes the factors considered in the ESM priority evaluation. If you require help 
in changing the values, enter a case in the HP Software Support Online site. The maximum score for 
each factor is 10: if the value of qualifying conditions for that factor totals more than 10, the amount 
over 10 is not considered. 


Note: You can view an event’s priority information by right-clicking the event on the grid and 
selecting Debug Event Priority. The window displays information on how the priority score was 
determined for the selected event. The values described in the following table come from actual 
values stored for the events. The debugging information, however, is real time without history. 

If you set the severity through a rule action, the debug event priority shows this value; however, 
the debug information does not cover this particular rule action. This is because the values 
described in the information are based on actual values stored for the event. Event conditions 
defined in the rule are based on live evaluation of the current state of the system. 


Factors Contributing to Priority Evaluations 


Priority factor 

Description 

Model Confidence 

Model confidence refers to whether or not the target asset has been modeled in 
ESM and what information the modeling revealed. Maximum score = 10. 


+4 

Target asset is modeled in ESM and its asset ID is present. If these are the 
only data points present for the asset, this is likely an asset range ora system 
that was modeled manually. 


+4 

Target asset has been scanned for open ports. 


+4 

Target asset has been scanned for vulnerabilities. 

Relevance 


Relevance of the event to the asset is based on whether the event contains 
ports or known vulnerabilities and whether they are exposed. If an asset does 
not expose the vulnerabilities or ports in the event, the event is not relevant to 
the asset. Maximum score = 10. 
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Factors Contributing to Priority Evaluations, continued 


Priority factor 

Description 


+5 

Ports 

Event 

contains ^ — No— ► *5 

T 

Yes 

i 

Asset _ . _ — 

scanned for — Yes-* ° — No-* 0 

^oen ports' 1 assel 

I T 

No Yes 

♦5 *5 


+5 

Vulnerabilities 

Is there a known 
vulnerability mapping 
on file at the 

Manager? 

T 

Yes 

Jr 

a™, scanned for Vulnerability 

T 

J Yes 

No ± 

♦ /if 

+5 * 5 

Severity 


Severity is a history function: Has the system been attacked or compromised 
before, or has the attacker scanned or attacked the network in the past? 

Different scores are assigned based on the attacker and target's presence in 
one of ESM's threat tracking active lists (/All Active Lists/ArcSight 
System/Threat Tracking), whose contents are updated automatically by 

ESM rules. Maximum score = 10. 


+6 

The asset appears as an attacker in the active list /ArcSight System/Threat 
Tracking/Infiltrators List. 


+5 

The asset appears as an attacker in the active list /ArcSight System/Threat 
Tracking/Hostile List. 


+3 

The asset appears as a target in the active list /ArcSight System/Threat 
Tracking/Compromised List. 


+3 

The asset appears as an attacker in the active list /ArcSight System/Threat 
Tracking/Suspicious List. 


+ 1 

Asset appears as an attacker in the active list /ArcSight System/Threat 
Tracking/Reconnaissance List. 
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Factors Contributing to Priority Evaluations, continued 


Priority factor 

Description 

Asset Criticality 

Asset criticality measures how important the target asset is, as set by you in 
the network modeling process by using the standard asset categories /System 
Asset Categories/Criticality/Very High; High, Medium, Low, and 
Very Low. For example, customer-facing systems or devices with access to 
confidential information would be classified with a High criticality level, 
whereas a staging or test system might be Low. Maximum score = 10. 


+ 10 

The asset is found by the filter /System Asset 

Categories/Criticality/Very High 


+8 

The asset is found by the filter /System Asset 

Categories/Criticality/High 


+6 

The asset is found by the filter /System Asset 
Categories/Criticality/Medium 


+4 

The asset is found by the filter /System Asset 

Categories/Criticality/ Low 


+2 

The asset is found by the filter /System Asset 

Categories/Criticality/Very Low 


+0 

The asset is not categorized with any of the above categories. 


You can use asset aging to reduce asset confidence level as the time since the last scan increases. 
For information on configuring that, refer to the ESM Administrator’s Guide, “Configuration” section, 
topic on “Asset Aging.” 


The priority calculation formulas are made up of basic elements organized by operators called Sum and 
Difference. These elements are based on simple condition expressions. 

• "Priority Elements" below 

• "Priority Operators" on the next page 


Priority Elements 

The basic formula elements each return a positive numeric value or zero. Individual element values can 
be configured by changing the Value attribute associated with the XML element for each condition. 

Some of the elements are predicates that test a specific condition. If the condition for a specific 
element is satisfied, these elements return a positive value; otherwise, the element returns zero. 

Predicate elements can also be negated using the Negated attribute. In that case, they return a 
specified value if the condition is not satisfied, and zero if the condition is satisfied. 
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Priority Elements 


Prioritization Element Description 

HasOpenPort 

Takes a non-zero value if the target asset has a particular port open. 

HasVulnerability 

Takes a non-zero value if the target asset is vulnerable to the attack 
captured by the alert under consideration. 

HasVulnerabilityMapping 

Takes a non-zero value if the signature of the context event has not been 
mapped to a vulnerability. 

HasValue 

Takes a non-zero value if the specified event attribute has a value. 

InActiveList 

Takes a non-zero value if the target address belongs to one of the active 
lists whose URI is provided in the formula. 

Constant 

Evaluates to a constant non-zero value. It does not rely on event-specific 
conditions or any other variable; it remains constant, as the name 
implies. 


Priority Operators 

There are two aggregation operators used in the priority calculation formula, Sum and Difference. The 
Sum operator adds the values of all of the elements that it contains. The Difference operator subtracts 
the sum of all of the values of the subsequent elements from the value of the first element it contains. 

Both operators have two attributes, maxValue and weight. 

MaxValue Attribute 

MaxValue is used to clip the result after the operator aggregation is carried out. After aggregating, the 
result is also normalized, which is achieved by dividing the result with MaxValue. For example, if we 
have an element like 

<SUM maxValue = 100> 

and it has two child elements, each of which evaluate to 80, the pre-normalization value will still be 100 
and not 160. After normalization, the final result for this example will be 1. Similarly, there is an implied 
lower limit or minimum value of zero on these elements. 

Weight Attribute 

The Weight attribute is used to scale the result after operator aggregation and normalization are carried 
out. So, as in the example previously described, if the aggregating element was: 

<SUM maxValue = 100 weight = 7> 

the result after normalization is 1, and after scaling, it becomes 7. 

Each of the formulas have an implied maxValue of 10 since each of the four fields in the alert take 
values in the range 0-10 (inclusive). 
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Priority Rating 

The priority of an event is a calculated overall rating based on agentSeverity adjusted by Model 
Confidence, Relevance, Severity, and Criticality using a detailed formula. (See "Priority Calculations 
and Ratings" on page 1010.) All four factors are fields in the event schema, and can thus be used in 
correlation. 

The priority rating is color coded and displayed in "Active Channels". You can sort events in the grid 
view according to priority. Priority is a good basis for deciding what to look at first in your event 
monitoring workflow, and priority is one of many useful criteria on which to build filters, rules, reports, 
and data monitors. 


ffy. Priority 


f — -r 


Priority Ratings in Active Channels: The Priority column in the default live channel view shows the 
overall priority rating for each event based on calculations from the other five priority criteria. 

The score and color scale used in the priority display are as follows: 


Priority Rating Color Indicators 


Priority Color Description 

0-2 

Green 

■ 

Very low. This event is likely a routine function, such as routine file access or a 
successful authentication by an authorized user. An event that may have started 
out with a higher priority can become very low priority when it is proved to have 
failed. 

3-4 

Blue 

■ 

Low. This event is likely a common function, such as a setting change or a 
scheduled system scan. 

5-6 

Yellow 

■ 

Medium. This event is a potential concern, such as pre-attack scan activity, 
policy violations, and identified vulnerabilities. Medium priority events are often 
hostile attempts whose success or failure is not confirmed. 

7-8 

Orange 

■ 

High. This event is a concern, such as attack formations, potential breaches, or 
misuse, including traffic to a dark address space, incorrect registry values, ora 
SYN Flood. 
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Priority Rating Color Indicators, continued 


Priority 

Color 

Description 

9-10 

Red 

• 

Very high. This event is a grave concern, such as verified breaches or a DHCP 
packet that does not contain enough data. Items with a very high priority should 
be investigated immediately. 


Queries 

A query is a resource that defines the parameters of the data you want to report on derived from a data 
source. Queries are used in "Reports 1 ' either directly or as the basis for "Trends' reporting. 

Queries can use as a data source the database of events, cases, notifications, modeled network 
objects (assets), trend data, active list, or session list. Reports then bind data results from queries 
and/or trends into a display format based on a report template. 

See 'Building Reports" on page 371 for an overview of all reporting tasks and tools, including how to 
build queries or trends and how to use a provided templates. 


Queries and Trends 

You can use the result of a query as the basis for one or more reports or trends. Fora detailed 
description of how queries and trends can be used together, see 'Query-Trend Relationships in 
Reporting" on page 428. 


Building and Running Queries 

You can access queries and associated editors in the Reports resource in the ArcSight Console. 

See 'Building a Query" on page 302 for information on how to navigate to and use the Query Editor to 
define query settings. 


Query Viewers 

Query Viewers are a type of resource for defining and running SQL queries on other resources, 
including trends, assets, cases, connectors, events, and so forth. Each query viewer contains an SQL 
query along with other logic for establishing and comparing baseline results, analyzing historical data to 
find patterns in network activity, and performing drill-down investigation on a particular aspect of the 
results. 

You can use query viewers to run the same queries used for reports, and get results quickly. Then, if 
desired, you can generate a simple report directly from the query viewer results. Full-featured reporting 
(with queries, trends, and templates) is still offered for more robust reporting requirements (see 
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"Building Reports" on page 371 ), but query viewers provide a shortcut to running those same SQL 
queries apart from reporting. 

Query viewers provide high-level summaries to monitor system health, reveal trends, and allow for drill- 
down investigation of all types of resources. Query viewers can work with trend tables rather than 
event tables, and so can return results much faster than "Active Channels". 

See 'Query Viewers" on page 323 for information about using and building query viewers. 


Reference Pages 

Certain "Resources" among those you find in the trees of the "Navigator Panel", or events you see in 
the Viewer Panel ("Views" on page 1101), have pointers to additional reference information. To check 
for this information, you right-click an individual event, resource, or resource group and choose 

Reference Pages. 

If there are pointers available, you see the Reference Pages dialog box. Select one or more items and 
click View to open them in Viewer tabs. If no content is available, click OK in the "none found" dialog 
box. 

Some reference page pointers are pre-populated. You can edit these, or add new references, through 
the Group Editor (as described in "Using Resource Groups" on page 44). In the Group Editor, use the 
Group Page text field to specify URLs to reference pages for the group as a whole. Use the Group 
Children's Page field to specify URLs to reference pages for the individual items within the group. 
Member URLs can be in the form of templates that use the names of "Data Fields" to query for 
particular files. 

Note also that all the content formerly available through the feature called "Vendor Pages" continues to 
be available from Reference Pages. 


Regex (Regular Expressions) 

The use of regex is supported for adding filter conditions in the Console. ESM uses the regular 
expression library (Pattern class) of Java 6. The Pattern engine in Java performs traditional N FA- 
based matching with ordered alternation as in Perl 5. This topic is provided to users who are familiar 
with regex in Java and Perl, and explains the differences and similarities in constructs between them 
The information contained in this topic is taken from the Java documentation in 

http://download.oracle.eom/javase/6/docs/api/java/util/regex/Pattern.html 

Refertothe above URLforthe complete information about the Pattern class. 


Perl Constructs not Supported in Java 

The Pattern class does not support the following Perl constructs: 
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• The conditional constructs (?{X}) and (?(condition)X|Y) 

• The embedded code constructs (?{code}) and (??{code}) 

• The embedded comment syntax ( ?#comment) 

. The preprocessing operations \lj \u, \L, and \U 

Java Constructs not Supported in Perl 

The Java Pattern class supports the following constructs that Perl does not: 

• Possessive quantifiers, which greedily match as much as they can and do not back off, and even 
when doing so, would allow the overall match to succeed 

• Character-class union and intersection as described in "Character Matches" 


Notable Differences between Java and Perl 

If you are used to using regex in Perl, you should pay attention to the difference in the way Java’s 

Pattern class handles certain expressions. 

• In Perl, \1 through \9 are always interpreted as back references. A backslash-escaped number 
greater than 9 is treated as a back reference if at least that many subexpressions exist; otherwise it 
is interpreted, if possible, as an octal escape. In the Pattern class, octal escapes must always 
begin with a zero. In this class, \1 through \9 are always interpreted as back references, and a 
larger number is accepted as a back reference if at least that many subexpressions exist at that 
point in the regular expression; otherwise the parser will drop digits until the number is smaller or 
equal to the existing number of groups, or it is one digit. 

• Perl uses the g flag to request a match that resumes where the last match left off. This functionality 
is provided implicitly by Java’s Matcher class: repeated invocations of the find method will resume 
where the last match left off, unless the matcher is reset. 

• In Perl, embedded flags at the top level of an expression affect the whole expression. In the 
Pattern class, embedded flags always take effect at the point at which they appear, whether they 
are at the top level or within a group; in the latter case, flags are restored at the end of the group just 
as in Perl. 

• Perl is forgiving about malformed matching constructs, as in the expression *a, as well as dangling 
brackets, as in the expression abc], and treats them as literals. The Pattern class also accepts 
dangling brackets but is strict about dangling metacharacters like +, ?, and *, and will throw a 
PatternSyntaxException if these metacharacters are encountered. 
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Character Matches 


This topic applies to regex in Java. The following table lists regular-expression constructs and the 
matches for character classes. 

Summary of Regular-Expression Constructs for Character Classes 


Construct 

Matches 

[abc] 

a, b, ore (simple class) 

[ A abc] 

Any character except a, b, ore (negation) 

[a-zA-Z] 

a through z or A through Z, inclusive (range) 

[a-d[m-p]] 

a through d, or m through p: [a-dm-p] (union) 

[a-z&&[def]] 

d, e, or f (intersection) 

[a-z&&[ A bc]] 

a through z, except for b and c: [ad-z] (subtraction) 

[a-z&&[ A m-p]] 

a through z, and not m through p: [a-lq-z](subtraction) 


Character classes may appear within other character classes, and may be composed by the union 
operator (implicit) and the intersection operator (&&). The union operator denotes a class that contains 
every character that is in at least one of its operand classes. The intersection operator denotes a class 
that contains every character that is in both of its operand classes. 

The precedence of character-class operators is as follows, from highest to lowest: 

1. Literal escape \x 

2. Grouping [ . . . ] 

3. Range a-z 

4. Union [a-e] [i-u] 

5. Intersection [a-z&&[aeiou] ] 

Note that a different set of metacharacters are, in effect, inside a character class than outside a 
character class. For instance, the regular expression . (a dot) loses its special meaning inside a 
character class, while the expression - (a dash) becomes a range-forming metacharacter. 


Reports 

Reports are a resource that provide captured views or analyses of information that can be viewed in the 
ArcSight Console"ArcSight Console" on page 797 in PDF, Excel, Comma Separated Value (csv), or 
Rich Text Format (rtf). You can view the HTML format with your preferred default Web browser. 

You can create reports on all events, cases, notifications, and assets that are in storage. 
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Reports gather data based on "Queries' and "Trends", and use report templates to determine display 
and file formats. 

For an overview of reporting, including information on queries, trends, and templates, see 'Building 
Reports" on page 371. 


Working with Report Templates, Queries, and Trends 

Reports show results of pre-defined queries and trends using custom-designed or provided templates. 
Once you have source data defined in queries and/or trends, you can design reports to present the data 
in charts and tables. 

The Reports resource includes the following tabs and editors for the following elements that make up 
reporting: 

. Templates ("Using Report Templates" on page 375) 

• Queries ("Defining Query Settings" on page 303) 

• Reports (" Defining Report Settings" on page 381 ) 

• Archives (" Archiving and Scheduling Reports" on page 460 

• Trends ("Defining Trend Settings" on page 431) 

A Report Wizard is provided for creating reports quickly. (See End-to-End Reporting Examples" on 
page 412 for an example of using the report wizard.) From within the wizard you can choose a data 
source (one from among available "Queries", "Trends", "Active Lists", or "Session Lists") and one of 

the available templates to use for the report. 


Viewing and Managing Reports 

You have the flexibility to broaden or narrow the data extracted from the database using report 
parameters and conditional logic statements. You can also create delta reports to show the difference 
between two sets of parameters. With this flexibility, you can create custom reports that are tailored to 
meet your reporting needs. Also, there are display groupings of "Report Definitions," where you define 
what report you want to generate, and "Report Output," where the actual reports are generated and 
stored. 

Archived Reports 

Once a report is created, it can be saved (archived). Archived reports are retrieved for immediate 
viewing, without requiring you to regenerate the report. In addition, you can schedule a report for 
automatic archiving, on a yearly, monthly, weekly, daily, or hourly basis. All reports are displayed at the 
ArcSight Console in the Report Viewer. 
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Report Groups 

Reports can be created and edited in the <user ID>'s Reports group or the Public Reports group on the 
Report Definitions tab. Reports can be deleted based on your permissions. Reports created in the 
<user ID>'s Reports group is available only to that user and those to whom the user gives inspect or 
edit permission. Reports created in the Public Reports group are available for all users to create, edit, or 
delete. Reports can then be run from the Reports resource tree and the Viewer panel. For more 
information, see "Running and Managing Reports" on page 448. 

You can manage reports in the Reports window of the ArcSight Console. The Reports resource tree 
has two tabs: Report Definitions where reports are managed and Report Output where archived reports 
are stored for viewing. The Report Definitions tab lists and organizes all reports in one of the following 
groups. 


Report Groups Description 

<user_ID>' s 

Reports 

Reports the user has created. 

Shared Reports 

Reports that other users have already shared with the logged-in user. 

ArcSight Reports 

Reports provided as defaults, which you can use as-is or to create custom 
reports. 

Public Reports 

Reports to which all users have read permission. 


If you have Administrator access you will have another group named All Reports that contains all user 
report groups and their reports. 

The Reports Output tab lists all archived reports. Archived reports are listed as a file on the Report 
Output tab for quick access and retrieval. When you archive a report from the Report Definitions tab, 
that report is sent to the Report Output tab. If other users archive a report and share it, the report is 
listed in the Shared group on the Report Output tab. 

Delta Reports 

A delta report is one that shows the difference between two sets of parameters used in a single report. 
The report also shows the data for each of the parameters. 


When you run or archive a delta report, an internal event is sent to the Manager. This event contains the 
following data fields and values. 


Delta Report 
Field 

Description 

Event Name 

Delta Report Generated (Report: <ReportName>), where <ReportName> is the 
name of the report. 


Rules can be created using the delta report data fields. 
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Report Parameters 

For date parameters, type in the text fields, click the drop-down arrows or click the time buttons to 
select a time range. 

For date and time data fields, you can also type an actual date value, such as 10/12/2011 8:54:00 AM, 
or you can use special system variables such as: 

• $CurrentDateT ime: for the date and time the report is run, the system variable is replaced by the 
current date and time value when the report is run. 

• $CurrentDate: for the date the report is run, the system variable is replaced with the date value, 
truncating the time of the day to 0, when the report is scheduled or run. 

You can also specify certain date operations with these system variables to add or subtract a number 
of specified days or hours. For example, you could type: $CurrentDate - 7d for seven days before the 
date the report is run, the condition evaluates to a date which is the current date minus seven days, or 
$CurrentDateTime - 12h, which evaluates to the current date time minus 12 hours. 

Select a Report File Format from the drop-down menu. 

Reports can be archived in PDF, HTML, Excel, Comma Separated Value (csv), or Rich Text Format 
(rtf). The default PDF format should be used when archiving reports. Compared to PDF reports, other 
reports may lose formatting information and will appear differently. In addition, Excel format is more 
memory intensive than PDF. 


Running Reports 

For information on how to run a new or archived report, see 'Running and Managing Reports" on 
page 448. 


ArcSight-Provided Reports 

There are more than 200 reports listed in the ArcSight Reports group which you can use to immediately 
generate reports or use as templates to create or customize your own reports. 

The ArcSight Reports group contains all reports further subcategorized in one of these report 
subgroups. 


ArcSight Reports 


Report Group Description 

By Attribute 

Provides various reports providing details based on connector type, severity, 
device, event name, source, target, and target port. 

By Event 
Direction 

Provides reports based on inbound or outbound attack and alert direction. 
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ArcSight Reports, continued 


Report Group Description 

By Event 

Volume 

Provides reports based on most frequent and least frequently occurring events. 

By Sensor 

Provides report by type of sensor or connector, for example, firewall, router, 
intrusion detection, and so forth. 

By System 
Object 

Provides reports by type of object, for example, active lists, assets, cases, and 
notification. 

Custom 

Reports 

Provides varied example reports demonstrating moving averages and 
vulnerability. 

Example 

Canned 

Reports 

Provides reports showing various types of asset reports and different report layout 
designs. 

Internal 

Reports 

Provides various reports providing information on system usage, performance, 
rule operation, and resources. 


You can run each of the reports to see the type of detail and information each provides. In addition, you 
can view the notes, settings, and conditions set on each tab to see how each report is constructed. To 
use a report as a template for creating or customizing your own reports, copy an existing report to a new 
report group (using drag and drop to copy an existing report to the new report group). You can then 
rename the new report and start making changes to the new report. 


Report Templates 

Report templates are a component of Reporting resource tools. 

To provide more flexibility in reporting, the report template tools include a rich offering of ready-made 
templates and a template design wizard for more customized "Reports". Template definitions 
determine how data from "Queries" and "Trends" is displayed in a report. You can create and adjust 
templates to specify which data is displayed, what visual elements are used (variations on tables, 
charts, graphs, and so on), the layout of those elements, the report output file format, and much more. 
A template consists of report design elements, such as headers, footers, title bars, charts, and tables, 
arranged on a page according to a layout specification. 

Templates can accommodate input from multiple queries and show multiple visual elements, such as 
three charts and a table each pulling from a different data source, in a single report. 

For more information on templates, see "Using Report Templates" on page 375. 

See 'Building Reports" on page 371 for an overview of all reporting tasks and tools. 
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Resources 

The Manager handles the logic used to process events as objects called resources. Active channels, 
data monitors, filters, cases, assets, queries, trends reports, rules, and packages are all examples of 
resources. 

A resource defines the properties, values, and relationships used to configure the functions the 
Manager performs. Resources can also be the output of such a configuration (such as archived reports, 
or Pattern Discovery snapshots and patterns). 

The Manager has over 30 different types of resources and comes with hundreds of these resources 
already configured to give you functionality as soon as the product is installed. These resources are 
presented in the Navigator panel of the ArcSight Console. 

This topic provides an overview on working with resources in the Console. Resources in general are 
discussed in more detail in the topic “Resources” in ESM 101 . 


Valid and Invalid Resources 

Valid resources show up in the Navigator with their associated icons as described in "Navigating" on 
page 40. A resource can "break" or become "invalid" either because it is constructed improperly (for 
example, when an active list schema does not match the underlying table) or because another resource 
it depends on is missing from the database (for example, when a rule references an unavailable filter). 
The latter can happen when a resource used in other resources is deleted from the Manager, or not 
retained during an upgrade, import, or export. 

Invalid resources show up in the Navigator as broken or torn. 

For example, the Navigator displays a valid filter like this: S, and an invalid filter like this: T 

A valid resource is fully available to other resources that reference it, and can participate in the 
"Events" flow, "Trends", "Reports", "Data Monitors", "Active Channels", "Filters", "Rules", and so 
forth. 

An invalid resource cannot participate in the event flow or other resources in real time. For example, 
invalid "Assets" cannot participate in event asset resolution. Correlated events in which the source or 
target address points to the invalid asset are not generated. Similarly, an invalid rule does not trigger 
and generate correlation events. 


Fixing and Validating Resources 

When a resource become becomes invalid, its Editor includes a Validate button that you can use to 
test and validate the resource after you fix it. Clicking the Validate button on a resource that was 
previously broken results in a check of the resource logic and dependencies. If the system determines 
the resource is now valid, the resource icon in the Navigator is updated to reflect a working resource. If 
the system determines the resource is still broken, it displays an error message describing the problem. 

The general flow of steps to fix and validate a resource are: 
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1 . Identify an invalid resource. Sometimes problems with "Filters" or "Rules" which are used in many 
other resources) are a result of broken resources. (A valid resource looks like this: @, and an 
invalid resource looks like this: >2^ ) 

For example, if "My Top Threats" filter depends on "My Hotlist" filter, removing "My Hotlist" filter 
breaks "MY Top Threats" filter. 

A scheduled job (like a scheduled rule group or archived report) can also break if one of the 
resources it depends on is missing. The broken icon fora scheduled job shows up on the Current 
Jobs list. (See Job Scheduler" on page 996.) 

2. If you do not already know why a resource is broken, open its editor (double-click the resource in 
the Navigator panel) and click the Validate button in the resource editor. This will give you an error 
message that describes the problem. The error dialog includes a Copy button for copying longer 
messages to an external editor. 

3. Fix the problems with the invalid resource. This may involve adding back in missing resources or 
rebuilding the resource to fit various other requirements as described in "Troubleshooting 
(Requirements for Valid Resources)" on page 682. 

To continue with our example, adding back in the filter "My Hotlist" would fix the problem we 
mentioned in the beginning of this procedure. 

4. In the resource editor, click Apply to save changes to the resources you modified. 

Tip: For problems that can be validated on the local client, you can click Validate before 
clicking Apply. If the resource is fixed, its "working" icon is immediately reflected in the 
Navigator. For other types of problems, however, you need to Apply the changes to the 
resource before you Validate the resource. This is because some types of changes must be 
processed on the Manager to determine dependencies and relationships to other data not 
available on the local client. 

If you think you have fixed a resource but it is still not showing as fixed in the Navigator, make 
sure you Apply all the changes you made to it and then click Validate again. 

5. In the resource editor for the resource that was broken, click Validate. If the resource passes 
validation, its icon in the Navigator updates to reflect a working resource. 
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In the resource Editor for the resource that was broken, click the 
Validate button. If the resource passes validation, its icon in the 
Navigator updates to reflect a working resource. Otherwise, the broken 
— icon remains and an error message describes the problems. 

Some problems require saving fixes to the Manager, so be sure to dick 
Apply and save changes to resources you fix before you dick Validate. 
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To validate a scheduled job, click the Open scheduled jobs list tool button () to display 
scheduled jobs in the Viewer, right-click the job you want to validate, and choose Validate from 
the context menu. If the job passes validation, its icon in the Current Jobs list updates to reflect a 
valid task. 


Resource Attributes 

The processed 'Resources" are composed of several attributes, each of which is a data field with its 
own characteristics. The data fields common to all resources are described below. 

Each attribute has both a Label that you see in the ArcSight Console and a unique Script Alias you 
use to refer to the attribute in filters, rules, or Velocity templates. The Data Type lets you know how to 
handle the attribute. (Also, see Resources" on page 1 024 for information on locked and unlocked 
resources, and " Common Resource Attribute Fields" on page 685 for information on viewing and/or 
editing these fields in resource editors.) 
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Resource Attributes 


Group 

Label 

Script Alias 

Data 

Type 

Description 

Resource 

Type 

Name 

name 

String 

Top-level categorization of the 
resource as shown on the 
Navigator panel, for example, 
Active Channel, Asset, Rule, 
and so on. 

Common 

Resource ID 



Read-only field that shows the 
system resource ID. 


External ID 

external Id 

String 

An identification string suitable 
for, and which can be 
referenced by external 
systems. Common 
applications of External IDs 
include appropriate naming for 
Case and Asset resources 

that are tracked in common 
with defect reporting or 
vulnerability-management 
systems. Your administrator 
can advise you on the correct 
values for this field, if 
applicable. For Vulnerability 
resources, this field will be 
filled in with an ID of the 

format <standards 
body>|<id>, such as CVE | 
CVE-1 999-200. 


Alias 

alias 

String 

An identification string suitable 
for referencing resources. A 
given alias will appear in place 
of the resource's name 
everywhere it may be seen. 
Your administrator can advise 
you on the correct values for 
this field, if applicable. 


Description 

description 

String 

An editable text description of 
the resource or other related 
information. This text appears 
as a tooltip to any user who 
has ArcSight Console access 
to the resource. 
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Resource Attributes, continued 


Group 

Label 

Script Alias 

Data 

Type 

Description 


Version ID 



A string showing a globally 
unique version ID for the 

resource. 


Deprecated 



Indicates whether a resource 
is current or obsolete. If this 
field is blank, the resource is 
current. If this field is check 
marked, the resource is 
"deprecated" or obsolete. 

Click the box to toggle the 
checkmark on or off. 

Assign 

Owner 

owner 

String 

One or more users who are 

interested in this resource. 


Notification 

Groups 

notificationGroups 

String 

The ArcSight user groups 
selected from the Users 

resource tree who should be 

notified about this resource. 

Parent 

Group 

groupNameLink 


Resource 

Group 

Each resource group 
containing this resource. A 
resource exists in more than 
one group when you choose 

Link instead of Copy or Move. 

Creation 

Information 

Created By 

userName 

User 

The identity of the user who 
created this resource. 


Creation Time 

creationTime 

DateTime 

The time that the resource 

was created. 


Time Since 
Creation 

timeSinceCreation 

String 

The elapsed time, in days, 
hours, minutes, and seconds 
since this resource was 

created. 

Last 

Update 

Information 

Last Updated 

By 

lastUpdatedBy 

User 

The identity of the user who 
last updated this resource. 


Last Update 
Time 

lastUpdateTime 

DateTime 

The time that the resource 
was last updated. 
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Resource Attributes, continued 


Group 

Label 

Script Alias 

Data 

Type 

Description 


Time Since 

Last Update 

timeSinceLastUpdate 

String 

The elapsed time, in days, 
hours, minutes, and seconds 
since this resource was last 
updated. 


Rules 

An ESM rule is a programmed procedure that attempts to correlate incoming network "Events' and 
generates new events that report on correlation when it occurs, as determined by security policy. Rules 
also apply 'Conditions" and perform"Rule Actions". 

Canned rules can be viewed, edited, and used as templates to create your own enterprise-specific or 
custom rules. To see what's available, browse the description provided with each rule in the ArcSight 
Console. 

Different users can simultaneously create rules from their ArcSight Consoles. Once created, all rules 
are sent to the Manager, which updates any other individual Consoles. Updates to "Resources", 
including rules, are automatically refreshed every few seconds so that clients get the latest changes 
from other clients. 

Information on creating, deploying, and managing rules is provided in Rule Authoring. 


Loading Rules 

How you create rules affects the load placed upon the ArcSight Manager. This load is a function of how 
many partial and full matches are generated by those rules. Since partial matches occur when any 
condition of a rule is met and full matches occur once all conditions of a rule have been met, poorly 
written rules can generate many partial matches without generating any full matches. 

Also, poorly written rules can generate, in a worst case scenario, one additional event for every 
incoming event. However, well-written rules have conditions that are restrictive enough to limit partial 
matches to those events that are likely to participate in a full match. Such rules are also likely to 
generate very meaningful derived events and they also impose a smaller load on the ArcSight Manager. 
Therefore is it very important that you carefully plan, write, and test all your custom rules. 

See 'Automatically Disabled Rules " below for more information. 


Automatically Disabled Rules 

A rule can be manually disabled by an administrator or automatically disabled by ESM. ESM 
automatically disables improperly written rules that would produce excessive or meaningless events. 
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The Rules resource tree on the Navigator panel displays a manually-disabled rule as greyed out (' ). 

An auto-disabled rule is displayed with a special icon (L® ). It shows with the same disabled symbol 
overlaid by an ArcSight logo to indicate that the system disabled it. 

When a rule is disabled, ESM generates an audit event indicating that this happened so that 
administrators can follow up as needed. See "Rule Activations" on page 841 for more information on 
related audit events. 


Tip: About the Rules Status dashboard: 

ESM profiles rule performance by measuring their evaluation time on a sampling basis. You can 
view these results from the All Dashboards\ArcSight Administration\ESM\System 
Health\Rules\Rules Status dashboard, which includes a collection of data monitors reporting 
on different rules statistics. Based on information from this dashboard, manually disable rules 
which you deem expensive. 

The Sortable Rule Stats data monitor on this dashboard does not include pre-persistence rules. 


Why Rules are Automatically Disabled 


Cause Description 

Rule is invalid 

An invalid rule is automatically disabled and displayed as broken »J in the 
Navigator. 

If an administrator configures a rule or related resource in a way that “breaks” the 
rule and leaves it in an invalid state, the system automatically disables the rule. 

If a rule is disabled automatically due to an invalid configuration, an Invalid 
Reason field is displayed in the Rule Editor on the Inspect/Edit panel. When 
the rule is reconfigured to a valid state and enabled, the Invalid Reason field is 
no longer displayed. 

The Invalid Reason field is not displayed for rules that are manually disabled. 

Rule is recursive 

Rules that trigger themselves in a recursive loop is automatically disabled 
temporarily. A rule that is automatically disabled due to recursion is re-activated 
after a time frame that matches the aggregation time frame for the rule. (The 
default aggregation time frame is 2 minutes.) 

A rule can be inherently recursive due to a flaw in its design, or temporarily 
recursive because of some particular events involved. In the first case, 
temporarily disabling the rule often clears out the problem, and allows the rule to 
run normally when it is re-activated. 

If the rule is inherently recursive, it is continuously re-enabled and auto-disabled. 
The solution in this case is to redefine the rule logic and redeploy it, since it is 
effectively a “broken” rule. 

Excessive event 
alias matching 

This is the number of events matching that alias, independent of other defined 
aliases. The default limit for event matching is 100000. 
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Why Rules are Automatically Disabled, continued 


Cause 

Description 

Partial event 
matching 

If more than one event alias is defined in the rule, partial matching is the number 
of events matching the aliases defined before the current one, and for the 
current one, and for their join condition (if present). The default limit for partial 
matches of any event aliases is 100000. 

Generated event 

counts 

This is the number of correlation events generated. The default limit is five 
correlation events for each base event the rule processes. 

Base event 

counts 

The number of base events used by the rule to generate correlation events. 

Time unit counts 

This is the number of time units (minutes) that passed since the current rule 
activated. The default is 1000 correlation events in one time unit. 

Number of rule 
triggers exceeds 
configured limits 

Number of rule triggers exceeds configured limit of 1000 firings per minute for 
the same aggregated values. A rule that exceeds configured limits show as 
disabled (0)in the Navigator, and offer a right-click option for the user to 
manually disable it permanently. 

To change this setting, do so in the server, properties file. For example, if 
you want the limit to be 10000 instead of 1000, enter this setting: 

rules . max . fan-out .time - unit . ratio=10000 

For information on how to set properties, refer to the Configuration chapter of the 
ESM Administrator's Guide, topic on "Managing and Changing Properties File 
Settings." 

Note: A rule in this state continues to attempt to run until the user disables it 
permanently by right-clicking it in the Navigator and choosing Disable. 

CPU usage has 
exceeded 

threshold 

ESM takes the aggregated evaluation time of all deployed rules. If a rule's 
evaluation time exceeds 50% of this aggregated time, the rule is automatically 
disabled. 

To change this setting, do so in the server, properties file. For example, if 
you want 60% instead of 50%, enter this setting: 

rules . max . fractional . cpu=60 

For information on how to set properties, refer to the Configuration chapter of the 
ESM Administrator's Guide, topic on "Managing and Changing Properties File 
Settings." 


For rules that are disabled automatically, right-click the disabled rule and select Disable so that the rule 
is permanently disabled until you can fix the rule. If you don’t manually disable these rules, they 
continuously attempt to run, then are enabled and disabled by the system in a cyclical manner. This 
can impact system performance. 
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Rules Processing and Correlation 

A rule has three parts: a condition, threshold and time window aggregation, and an action. The condition 
states if exists and satisfies expressions and the action states do expressions. A rule states if 
[one or more conditions] exist and satisfy the rule, then do [action expressions]. A 
rule can have one or more rule conditions. If there is one condition, the rule acts as a filtering tool. If 
there is more than one condition, the rule acts as a correlation tool. A rule can be created for any 
incoming event from one or more event generators, with various conditions, logic statements, and 
threshold and time window qualification of events. 

Components of a Rule 


Conditions 


Aggregation 


Action 


The Correlation Engine, a sub-component of the Manager that handles rules, is not the same as a 
database query engine. For example, the Correlation Engine can perform a complex join across several 
events in real-time and aggregate the response to these events. In order for the Correlation Engine to do 
this in an efficient manner, it keeps a list of events that match each condition. These are referred to as 
partial matches because they satisfy part, but not all, of the rule's conditions. As new partial matches 
occur, the Correlation Engine attempts to pair them with previous partial matches in order to construct a 
full match. At that point the Correlation Engine may aggregate that match with others while it waits to 
pass some threshold (which can be either time or a target number of full matches). If the threshold is 
passed the Correlation Engine generates a derived event and performs the other actions associated 
with the rule. 


Event Processing of a Rule 
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It is important to note that all rules containing a specified threshold and a time window expiration follow 
a certain process in order to generate a derived event and perform an action. If a rule's threshold is 
passed, but the time window expiration has not been met, then the Correlation Engine compensates for 
this by generating a derived event, performing an action, and moving (or sliding) the time window until it 
expires. If this rule process was not in place, under certain conditions, rules would trigger on nearly 
every event in a short amount of time and which would cause a large amount of useless events to be 
displayed or actions taken. 
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For example, assume that you created a rule with an event threshold of 4 and a time expiration window 
of 3 minutes that sends a notification every time the threshold is met. This rule's process would look 
like the following: 
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Rule Triggers - Action Taken Next Time Window Begins 


In this example, the 4th incoming event occurred before the time window expired, so the rule triggered 
at the 4th event and the time window shifted adding another 3 minutes. Within the 2nd 3-minute 
interval, the rule restarted its incoming event count; however a 4th event did not occur so the rule did 
not fire. Note that the time window did not expire until the 5th minute had passed. If a 4th event had 
occurred before that time then the shifting process would have begun again. If you were to show the 
rule chain forthis example, it would display the information for incoming events 1-4 that occurred within 
the first 3 minutes. Time windows expiration triggers fire at the minute boundary unless the next time 
window starts before the minute boundary. 

The Rules resource tree in the Navigator panel offers a default collection of rules that you can use 
directly or as a template for creating your own custom rules. 

For example, there are rules predefined to detect and perform actions based on system rules 
processing and SmartConnector status. Other rule groups detect and respond to attacks and 
suspicious activity, specific types of attacks on various sensor types, network components, or assets, 
and report attack results or successes. 


Rule Groups 

Rules are organized into groups to store similar rules in one location. The Rules tree in the Navigator 
panel organizes rules into the following groups. 


Rule 

Groups 

Description 

<userID >' s 

Rules 

The user's home directory, where they have read/write permissions to author rules. 

Shared 

Rules 

Rules that establish the permissions for the current user. 
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Rule 

Groups Description 

Real-time 

Rules 

Rules that are run against real-time events. 

Public 

Rules 

The rules that any user can read. 

System 

Rules 

The global rules provided by ArcSight. 

Unassigned 

Rules that do not belong to any directory. These can be rules that have not been 
inserted into any directory, or their parent directory has been deleted. 


If you have Administrator access you will have another group named All Rules that contains all user 
rule groups and their rules. 


Scheduled Rules 

You can deploy scheduled rules to run at a specified time interval (such as hourly, daily, or monthly). 
This is a useful alternative to real-time rules in situations where you want to deploy rules that take into 
account historical data along with live data, or when you simply want to control when the rules are run. 
The scheduled rules engine can process historical data, take real actions, and generate correlated 
events which are the same as those generated by the real-time rules engine. 

Only rule groups can be scheduled. To schedule one or more rules, you add the rules to a rule group, 
and then edit the rule group to add a scheduled job. For more information, see "Scheduling Rules" on 
page 539. 


Rule-triggering Timing 

Rule-processing sessions are associated with “Group By” tuples (for example, a particular pairing of 
source and target address). 

A match occurs when all the conditions of the rule are met. 

The first match associated with a new tuple creates a new session. It also triggers onFirstEvent and 
an OnEveryEvent. The system then sets the start time for the first time window. 

Subsequent matches will trigger onSubsequentEvents and onEveryEvent. 

If enough matches occur to pass the threshold count before the time window expires (which is defined 
as start time + time window>current time), then the Manager triggers onEveryThreshold and 
one of either onFirstThreshold oronSubsequentThreshold and it resets the start time for the next 
time window. 

If a time window ends without meeting the threshold, then "final aggregation" occurs. The 
onTimeWindowExpiraton option is triggered and the session is disassociated from the tuple. 
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The next match with the same tuple (or, in fact, any tuple, same or new) will cause the whole process 
to repeat. 


Rule Chains 

When rules are designed to trigger in a series, in order to capture or act upon correlated events within a 
specified interval or at a particular threshold, they are referred to as rule chains. 


Variables 

You can use all of the dynamic time parameters you see in the Active Channel Editor and elsewhere, 
such as $Now and $CurrentDateTime. The same is true for time elements, including s (second), m 
(minute), d (date), M (month), w (week), and y (year). To use any event data field as a variable, express 
its displayed name as a one-word "camel cap" string prefixed with a dollar sign; for example, "Source 
Address" would be $sourceAddress. 


Rule Actions 

Rule actions are automatic procedures that occurwhen all rule "Conditions" and threshold settings 
have been met. (See also Rules" on page 1029.) You can choose to be notified of a triggered rule at the 
ArcSight Console or through the Notifier (see "Notifications" on page 1002), have information about the 
"Events" that triggered the rule sent to a case or active list (see "Cases" on page 853 or "Active Lists" 
on page 787), or automatically execute a command line function. You can also assign more than one 
rule action to any rule. 

The task steps for these activities are available in "Managing Rule Actions" on page 515. 


Active List Rule Actions 

The Active List rule action automatically organizes rule-associated IP addresses in active lists. Once a 
rule is triggered, the Active List rule action adds IP addresses from events that have triggered the rule 
to an active list. The Active List rule action can also move or remove IP addresses from active lists. 
Rules can also be created on active lists. 

When the rule is triggered, the rule action takes all associated addresses (source or target) and adds 
those addresses to an active list. For example, if a rule is triggered with an action that has Source 
Address and Suspicious List selected, all source addresses are sent to the Suspicious List in the 
Active Lists resource tree. 


Execute Connector Command Rule Actions 


Note: Rule actions to execute TRM Connector commands on the TRM appliance are not 
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supported. Use the URL Command instead. 

Rule actions can automate the process of sending commands to SmartConnectors and through them 
to the devices they support. While all SmartConnectors can respond to the basic commands (for 
example, start, stop, pause, continue, and terminate) some that represent more complex devices can 
respond to more complex commands. For example, rule actions can tell the Check Point Firewall 
SmartConnectortotell its device to block a particular IP address. See "Managing Rule Actions" on 
page 51 5 for a description of the actual steps involved. 

It may be helpful to note that this feature is in effect an automated solution for using the capabilities 
described in "Sending Control Commands to SmartConnectors" on page 163. 

The specific SmartConnectors that support this capability, and the additional commands they can 
process, are subject to change. Consult your administrator or representative for more information. 


Rule Conditions 

A rule is a programmed procedure that can analyze network "Events' and generate additional 
correlation events, as determined by security policy. (See also "Rules" on page 1029.) When creating 
rules, you define the rule events and Conditions", thresholds, and "Rule Actions". Conditions define 
which events trigger the rule, thresholds set when a correlation event is generated, and actions state 
which responses are taken when a correlation event is generated. To define rule events and conditions, 
thresholds, and actions, begin by determining the following: 

• Which event occurrences do I want to be aware of? This determines the rule's events and 
conditions. 

• How many times do I want the event or events to occur and within what time frame? This 
determines the rule's threshold. 

• What actions should automatically occur when an event is generated? When should those actions 
occur? This determines the rule's actions. 

A rule requires at least one event and one condition. When you create or edit a rule, the ArcSight 
Console provides a Conditions tab in which you can specify events and define the conditions for a rule. 
(The Conditions tab is described in the topic, "Common Conditions Editor (CCE)" on page 864.) 

Rules are first constructed by creating condition statements. Condition statements contain a data field, 
logic operator, and data field value; so you can create complex logical expressions by combining one or 
more individual conditions to match the events you want to trigger a rule. 

When you first create a new rule, a default event named eventl appears as a branch under the Event 
conditions tree for the new rule. (The event name is also commonly referred to as the event alias.) You 
can use this name or select a different event to use in the condition. Since rules can have numerous 
events, event names should be unique and descriptive within the same rule. For example, if monitoring 
Cisco Router denied events, Cisco Router denied could be the event name. The event name 
appears as a branch under the Event conditions tree. 
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When defining the condition for an event, the Conditions tab provides three columns, Name, Operator, 
and Condition. These three columns are combined to create <data field> <logic operators 
<data field value> condition statements. For example, if monitoring a Cisco Router, the condition 
statement could be Device Product = Cisco Router: Device Product as the data field, = as the 
logic operator, and Cisco Router as the data field value. 

When adding conditions, you need to decide how to tie the new condition to any existing conditions. To 
add more condition statements to an event, you can use logical operators AND, OR, or NOT to specify 
how to evaluate the condition statement that contains more than one individual condition. 

Besides specifying events in a condition, you can also add filters, assets, and vulnerabilities to rules as 
new conditions. A filter condition monitors if an event occurs in a particular filter. If an event does occur 
in that filter, a correlation event is generated (see "Specifying Rule Conditions" on page 498). Asset 
conditions state whether your enterprise assets are targets or sources of events. An asset condition 
states if an event occurs and the selected asset is the source or target, generate a correlation event. 
Finally, you can also use an existing enterprise vulnerability to create a rule condition. A vulnerability 
condition states if an event occurs with the vulnerability selected, generate a correlation event. For 
more information on vulnerabilities, see "Modeling the Network" on page 98. 

In some cases, however, you may want to specify more complex rule processing to restrict the events 
that actually cause a rule to fire. There are two additional elements you can include to specify more 
complex rule conditions: rule thresholds and aggregation. See 'Specifying Rule Thresholds and 
Aggregation" on page 51 1 . 


Rules Editor 

The Rules Editor is a panel in the ArcSight Console for creating and editing rules. 
The rules you create or edit are stored in .ARL (ArcSight Rules Language) files. 
For more information, see "Rules Authoring" on page 493. 


Schema 

The schema is more than 400 data fields of the normalized data recorded by the device (sensor) that 
reports events to the SmartConnector. The schema is the culmination of the normalization process, 
and the backbone of the data structure that drives correlation. 

The schema also includes fields that support resources that operate on other resources, for example, 
actors, assets, and cases. 

The schema can now also be expanded with user-defined fields. Global variables enable you to define a 
variable that derives data from fields in the schema, which can be used in multiple places (see "Global 
Variables" on page 555). 


HP ESM (6.9.1c) 


Page 1037 of 1106 


ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Avoiding Field Naming Collisions 

With the addition of user-defined fields to the schema comes the possibility of name collisions. In most 
cases, field names, regardless of type, must be unique to be resolved. The following attributes are 
checked to verify that names are unique for all types of data fields: 

Fields Validated for Uniqueness 


Field Type 

Field Validated 

Event 

name, alias, field name, display field name 

Actor 

name, alias, field name, display field name 

Asset 

name, alias, field name, display field name 

Case 

name, alias, field name, display field name 

Custom columns (public) 

N/A 

Custom columns (private) 

N/A 

Global variable 

name, alias, field name 

Local variable 

name, alias, field name 

Domain field 

name, alias, field name 


The Manager uses the following policy to manage potential naming collisions. 


• The Manager grants names on afirst-come-first-served basis. The domain field or global variable 
that comes later with the same name as another field will either be marked as 'disabled' if added in 
batch mode (such as from an archive file or package) or 'denied' when being created directly from 
the ArcSight Console. 

• Name collision is allowed among resource and event-based system fields. For example, the name 
field of event can be the same as the name field of an actor. 

• Global variable names must be unique across all types of schema fields. For example, a global 
variable cannot have the same name as a domain field or event. 

• The name of a local variable must be unique across all types of fields: event fields, resource-based 
fields, global variables, and other local variables in the same containing resource. 



Can the name be the same when in use by 

When Requesting a Name for a 

Global 

Variable 

Local 

Variable 

Event, Actor, Asset, 

Case 

Custom Cell 

Yes 

Yes 

Yes 
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Can the name be the same when in use by 

When Requesting a Name for a 

Global 

Variable 

Local 

Variable 

Event, Actor, Asset, 

Case 

Domain Field 

No 

Yes 

No 

Global Variable 

No 

Yes 

No 

Local Variable 

No 

No 

No 


The following exceptions apply to avoid naming collisions with existing customer-created fields and 
ArcSight-supplied global variables during upgrade to a future release: 

• Existing custom columns added to active channels (see Customizing Columns" on page 236) are 
excluded from name collision validation. Custom columns can have the same names as event 
fields, resource fields, global variables, and local variables, and vice versa. 

• New global variables can have the same name as an existing local variable. A new local variable 
cannot have the same name as an existing global variable, but if a local variable already exists with 
a particular name, a global variable with that same name can be added without a name collision 
error. 

Event Fields 

• Most information reported by sensor devices are in the main event fields. 

The information is accessible from Rules, Filters, and Reports. The events from a supported sensor 
might include three different fields - encryption failure, encryption success, and error -that all 
contain messages. These three are all mapped to the 'message' field. 

• Usage clarification for many fields. 

This information to help you write rules or data monitors that use the variety of possible values. 

Precise Event Categorization 

ESM categorizes events across six dimensions: 

• the object acted on by the event 

• the action represented by the event 

• the technique used to achieve the action 

• whether or not the action succeeded 
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• the security significance of the event 

• the class of device that reported the event. 

See 'Categories" on page 854. This scheme supports focused rule authoring and data monitor 
construction. 

Events describe either an action ora state. Actions are attempted against a particular object and may 
succeed orfail. There may be many ways to attempt a particular action against an object (such as 
different ways to exploit an exposed vulnerability). States describe the status of a particular object, and 
these states may be known to be true -- or they may be hearsay. Events all have some significance to 
the security profile of the protected network. Finally, it is interesting to know what sort of device is 
reporting the event. 


If we look at Snort SID 103, we discover that it is a report of a scan searching for pre-installed 
subseven 22 back doors. We would categorize these events as follows: 


Security Significance 

/Recon 

Behavior 

/Communicate/Query 

Technique 

/Scan/Service 

Device Type 

/IDS/Network 

Outcome 

/Attempt 

Object 

/Host/Application/Backdoor 


In this case, a network intrusion detection system (IDS) would observe an attempt to communicate 
with a backdoor and infer that this was part of a service scan attempting to discover pre-installed 
instances of that backdoor. Naturally, this implies an external connector is performing reconnaissance 
on the protected network. 


Send Logs 

Several system components provide various types of information to log files. For example, the 
Manager logs are located in: ARCSIGHT_HOME/logs/default/server. log. Various Manager utilities 
write logging information into different sets of log files. (The archive utility writes to the archive . log, 
the database init utility writes to the dbwizard.log, and so forth). Each of those sets can consist of 
multiple files. The number and size of the log files are configurable on the Manager under ARCSIGHT_ 
HOME/config/server .properties. 

ArcSight Console and connectors also generate and store log files. 

HP Software Support may request log files and other diagnostic information to troubleshoot problems. 
The sendlogs utility automatically locates log files and compresses them. 

The Send Logs utility does not send any log files automatically; you will be instructed by the support 
representative on how to send the log files. 
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Guidelines for Using the Send Logs Utility 

• Although Send Logs is accessible to any user logged into a component, only administrators have 
permission to collect logs on remote systems. Non-administrative users can only collect local logs 
from the component where they are logged in. 

• SmartConnectors must be running version 4037 or newer to support remote collection of logs with 
Send Logs (using an ArcSight Console or the Manager) 

• You can only collect local logs on SmartConnectors or ArcSight Database. That is, if you run the 
Send Logs utility on ArcSight Database, only the database log files are gathered. 

• You can run the sendlogs utility on a component even when the component service is down. If the 
Manager is down, you can only collect its local logs. However, if you need to collect the database 
logs as well, use the arcdt command on the Manager. 

• All log files for a component are gathered and compressed. That is, you cannot select a subset of 
log files that the utility should process. 

• The sendlogs utility generates a compressed file on your local system. The compressed log file is 
created in ARCSIGHT_HOME/tmp/logs<Fifename>.zip. 

• You can review the compressed file to ensure that it contains only the desired and appropriate 
amount of information. 

• You can remove or sanitize information such as IP addresses, host names, and e-mail addresses 
from the log files before compressing them. The options are to (a) send logs as generated, (b) 
remove only IP address, or (c) remove IP address, host names, and e-mail addresses. 


Options for Running Diagnostics and Sending Logs 

There are two ways to launch the Send Logs utility: 

• As a wizard from the ArcSight Console Tools menu. (See "Using the Network Tools" on page 53.) 

For details on using the sendlogs utility from the command line, see the “ADministrative 
Commands” section of the Administrator’s Guide. 

• From the command-line interface of each component, using the command arcsight sendlogs from 
ARCSIGHTJHOME/bin on the ArcSight Console or Manager. 

For details on using the sendlogs utility from the ArcSight Console, see the “Configuration” Chapter 
of the Administrator’s Guide. It is under “Configuring Manager Logging” then “Gathering logs and 
diagnostic information.” 

You can also use the arcdt command to run specific diagnostic utilities from the Manager command 
line. 
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Starting the Send Logs Wizard on the ArcSight 
Console 

You can launch the Send Logs Wizard from the ArcSight Console by choosing Tools > SendLogs 
from the Console menu. 

The first time you run the utility from the Console, you are prompted to select the components from 
which to gather logs and diagnostics. Some additional first-time settings are also required (such as 
notification details, time ranges, and options to gather diagnostics for session wait times, thread 
dumps, and database alert logs). The wizard remembers most of these, so that on subsequent runs you 
can choose to use to retain the original configuration. 

From now on when you start the Send Logs wizard, you will get this dialog. If you want to retain your 
original settings, select "Use current settings to gather logs." If you want to re-set the configuration, 
select the "Change/Review settings before gathering logs." option. From either of these initial 
dialogs, the wizard guides you through the process of collecting logs and diagnostic information. 

For a full description of all options and settings on the Send Logs utility, see "Configuring Manager 
Logging" in the Administrator's Guide. 


Session Correlation 

A session is information about the actors behind your network traffic that applies for a limited and 
specific period of time. Session information can be used to answer questions such as: "Who is in the 
New York office?" or "How many people are in meetings?" or "Are users accessing this resource 
according to company policy?" 

Session correlation is a set of tools that capture session information to not only identify the assets 
involved in network traffic, but also the users, or actors, behind the traffic. (See "Understanding 
Session Correlation" on page 569.) 

Session correlation makes it possible to map users to assets at specific time periods. This is 
especially valuable for identifying who is doing what on your network from which assets and when, 
especially when the asset IDs themselves may be variable (such as DHCP or VPN logins). 


Why Session Correlation Matters 

Monitoring traffic on your network generally means processing data about the assets involved in the 
network traffic. However, there are times when asset data alone is not sufficient to detect potential 
threats to your network. 

For example, users who log into the network on VPN or DHCP connections are assigned different IP 
addresses every time they log in. When sensors report events to SmartConnectors, they are only 
identified by their assigned IP address, which means that you may be missing a whole spectrum of 
activity from mobile assets, such as laptops and PDAs and remote offices. 
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Whether accessing your network by using assets with fixed or variable IDs, it is often the user (the 
"actor") involved in the network activity whose actions you want to correlate with other event data. This 
enables you to track who is doing what on your network and when, and what they are doing in 
subsequent log-in sessions. 

Capturing data about who is involved in network traffic as well as what assets are involved also adds 
crucial verification data to your correlation process. For example, three failed login attempts from a 
particular IP address can trigger a rule. But if that IP address is assigned to three different assets in the 
timeframe evaluated, session correlation makes it possible to clarify that the three failed login attempts 
were not executed by the same user. 


Session Lists 

Session Lists are similar to "Active Lists", with the following major differences: 

• Session Lists always have Start Time, End Time, and Creation Time fields. 

• Session Lists partition data into weekly partitions because the lists can grow very large over a 
period of time. 

• Session Lists do not have to fit entirely in memory. 

• Session Lists are optimized for efficient time-based queries. 

Session Lists can monitor activity based on any "Rules' -driven combination of "Events" attributes or 
set of custom fields. For example, session lists are very useful for tracking suspicious or hostile IP 
addresses as well as targets of attacks that may be compromised. 

While you can populate session lists "manually" (adding entries from grid views or the Session List 
Editor), you should use session lists in conjunction with rules specifically tailored to work with them. 
Rules can dynamically add and remove entries on lists, thereby making them a flexible information- 
gathering tool. 

You can open and edit session lists in grid views. 

Session lists function differently than "Active Channels". Session lists are not continuously 
re-evaluated and are not time-window constrained. Session lists draw from the event stream on the 
basis of their event or field/ rule definitions and any rules designed to affect them. 

You can use session lists as "Filters" in other "Resources" that are not based on active channels, such 

as 'Reports". 

In addition to their integral definitions, you can apply temporary (not saved) filters to session list grid 
views. Click the status description in the Filter line in the view header to use the Common Conditions 
Editor (CCE)". 

Use the set of default items in the Session Lists resource tree for templates or for operational 
monitoring with minor modifications. For example, use the ArcSight User Sessions list to watch 
activity related to logins. 

If you have Administrator access you will have another group named All Session Lists that contains all 
session list groups and lists. 
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See also "Session Correlation" on page 1042. 


SmartConnectors 

SmartConnectors are collectors of security event information generated by multi-vendor security 
devices throughout your enterprise. SmartConnectors normalize and correlate this data into "Events", 
expressed as ArcSight Messages, which are forwarded to the Connector Data Manager (a component 
of the “Manager") for further processing. SmartConnectors can reside on a device, on the Manager, or 
on a host machine. (For more information on SmartConnectors, see also Managing SmartConnectors" 
on page 140.) 

Caution: Do not delete a Connector resource at the Console unless the corresponding 
SmartConnector is first uninstalled from the device it is running on. If the SmartConnector running 
on the device has not been uninstalled, and its Connector resource is deleted, the SmartConnector 
will lose its connection to the Manager, causing the SmartConnector to start caching events and 
eventually dropping them. 

Related topics: 

• "Operational Status" below 

• "Configuration" on the next page 

• "Zones" on the next page 
. "Upgrading" on page 1046 
. "Filtering" on page 1046 


Operational Status 

SmartConnectors display their operating status conditions next to their names in the Connectors 
resource tree in the Navigator panel. 


SmartConnector Status Conditions 


Status 

Condition 

Description 

running 

The SmartConnector is operating normally. 

down 

The SmartConnector is not connected to the ArcSight Console, therefore no events are 
being received. 

stopped 

The SmartConnector is responding to commands sent from the Console, but events 
aren't being received. 

paused 

The SmartConnector is responding to commands sent from the Console, but events 
aren't being transferred and are remaining in the SmartConnector's cache. 
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Configuration 

You can configure SmartConnectors to set a specific priority level for events that match specific 
criteria. One of the typical applications of this is to change the default priority mapping. By default, 
SmartConnectors will map the device priority (which may contain multiple levels) to the standard 
priority levels: Very-High, High, Medium, and Low. For example, if a device has eight priority levels 
(0-7) where 0 is the highest priority, then most likely 0 and 1 will be mapped to Very-High, 2 and 3 to 
High, 4 and 5 to Medium, and 6 and 7 to Low. You can use this feature to change this behavior and 
make the SmartConnector set the priority based on different parameters. For example, assume two 
firewalls, one of which is your production firewall and the other an internal firewall used fortesting. You 
can configure the SmartConnectors to set the priority to Low for all the events coming from the internal 
firewall and leave the rest of the events with the default priority mapping. 

SmartConnectors can be configured to optimize their performance and increase their functionality. 
SmartConnectors can be configured to enable aggregation, batching, and time zone correction 
functionality. You can also send control commands from the ArcSight Console to SmartConnectors to 
manage the flow of events. 

Note: SmartConnector configuration also affects the ability to automatically create the assets that 
represent network devices. Each SmartConnector needs to report an IP address or hostname for 
its sensor so its events can be identified on the network. See the configuration guides for your 
SmartConnectors to ensure they are reporting this information. 

For information on how to import and export SmartConnectors configurations, see 'Importing and 
Exporting SmartConnector Configurations" on page 173. 

Tip: SmartConnectors can send event information to the Manager in a compressed format using 
HTTP compression. Using compression lowers the overall network bandwidth used by 
SmartConnectors dramatically, without impacting their performance. By default, all 
SmartConnectors have compression enabled. You can disable compression on SmartConnectors 
by modifying the ARCSIGHTJHOME/user/agent/agent . properties file as described in "Disabling 
Event Compression" in "Configuring ArcSight SmartConnectors" in SmartConnector User’s 
Guide. 


Zones 

Network zones are address-based network zone information as reported by or assigned to connectors 
and integrated as an asset property. You can access zone through the "Zones Tab" of the Assets 
resource trees, and the Zone Editor. 

The system can gather and integrate zone information by any of the methods. Only one method can 
apply with a given connector. 
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• If an AUP file (ArcSight SmartConnector "Content" update) is installed with a connector, the zone 
information, if present, provides addressed-based recognition. 

. If a def aultzones . csv file is installed in the connector's ARCSIGHTJHOME/system/agent/acp 
directory, it overrides an AUP file if present. 

• If the various zone URI values are set in the Connector Editor, in the Network section of the 
Networks: Content tab, they override URIs from an AUP file, a def aultzones. csv file, or the 
defaults. 


Upgrading 

You can centrally manage, configure, and update SmartConnectors remotely. You can use the 
Upgrade SmartConnector utility on the ArcSight Console to install newer versions of SmartConnector 
software for managed devices, and to review which versions are currently installed. (See Upgrading 
SmartConnectors" on page 175.) 

The connector upgrade utility is one of control commands available on SmartConnectors. (See 

"Sending Control Commands to SmartConnectors" on page 163.) 


Filtering 

SmartConnectors can also act as a filtering tool between devices and the Manager, using filtering 
conditions. Filtering conditions are set with a combination of AND or OR statements and data field 
values. Extraneous events are filtered out to minimize the number of events sent to the Manager and 
analyzed in the ArcSight Console. 

Note: Events filtered out by SmartConnectors are not reported to the Manager, so they won't be 
stored in or available later from the ArcSight Database. 

For information on how to import and export filters on SmartConnectors, see 'Importing and Exporting 
SmartConnector Configurations" on page 173 (especially the topic on "SmartConnector Filters" on 
page 175). 


SMTP 

SMTP is used to send e-mail. An SMTP server must be configured either at install time or through 
context (right-click) menu e-mail settings. For 'Notifications", the relevant fields are "from address", 
which designates the e-mail address of notification e-mail sent, and the "outgoing e-mail server," which 
is the SMTP server used to send e-mail. It is important to ensure that the "from address" specified is 
one that will not be rejected by the SMTP server, since some SMTP servers will reject unknown e-mail 
addresses. POP3 and IMAP can be used to check for e-mail acknowledgments. 

You can specify these options at install time, or through context (right-click) menu e-mail option 
settings. For acknowledgements, the relevant fields are "incoming mail server," which is the 
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POP/IMAP server to specify to check e-mail, "incoming mail protocol," which is either POP3 or IMAP, 
"account" and "password," which are the login name and password to access the mailbox from the 
incoming mail server. Note that replying to mails from the notification "from address" should reach the 
mailbox accessible to the "account" login. 


Sortable Field Sets 

All fields are indexed, so all fields are sortable. Sortable field sets used to include fields that were 
indexed. Now they are simply a way to manage access, since sortable field sets are associated with 
user groups to control access, through the ACL Editor, which edits Access Control Lists. See "Editing 
Access Control Lists (ACLs)" on page 189. 

This sorting is represented by the ascending and descending Sort Column and Remove Sort 
commands you can apply in the headers of grid view columns. This is also the sorting that you apply 
through the Sort Fields tab in the Active Channel Editor when creating or editing channels. 

Enabling all fields for sorting, or allowing on-the-fly sort indexing for previously unindexed fields, are 
both impractical for real-world performance. The practical solution is to select and index the most order- 
significant or frequently used fields and to make these fields readily available in clearly marked sets. 
Therefore, field sets are available from a Navigator panel resource in Active Channels called Sortable 
Field Sets. (In the Navigator, choose Active Channels, and click the Field Sets tab.) 

Sortable field sets are like other "Field Sets", except that they are composed only of fields for which 
sort indexing has been enabled. 

Like other resources, sortable field sets are associated with user groups to control access, through the 
ACL Editor, which edits Access Control Lists. (See "Editing Access Control Lists (ACLs)" on 
page 189.) 

The selection of sortable fields and the named sets these fields are collected in are often customized 
during initial installation for an enterprise, and are usually tailored further after production use begins. 
Therefore, a reliable list can't be published in advance. 

If you try to add an unsortable field to a sortable field set, or try to select sorting for an unsortable field in 
the Sort Fields tab in the Active Channel Editor, the ArcSight Console alerts you about the field's 
status. 


Caution: Here are reminders for using sorting field sets. 

. Sortable fields belong to exclusive sets. This means that if you use a sortable field from one 
sortable field set to control an active channel, you cannot use sortable fields from other sets as 
secondary sort controls. 

. Users should not edit the field sets in the System Field Sets folder. If edits do occur by 
mistake, the system will auto-restore those resources to their defaults in about an hour. 


"Variables' are not subject to indexing and therefore are not candidates for sortable field sets. 

Tip: See also "How Fields are Indexed" on page 687 for additional information on the search index 
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levels. 


Sorting Columns in Grid Views 

In grid views (including "Active Channels ), the names of fields in column headers are indicated with a 

double arrow icon ^ and the Sort Column right-click command is enabled. This applies to all fields. 

To sort a list per a particular column, right-click over the column name and choose Sort Column. 

If a field is already sorted, one of two additional icons is shown next to the column name indicating 
which direction the sort is applied. 

• A down arrow k. indicates a "top-down" sort is in effect on that field. (For example, when the event 
End Time field is sorted top-down, newer events are displayed at the top of the list and older events 
at the bottom. When the Priority field is sorted top-down, events are listed from higher to lower 
priority.) 

• An up arrow t indicates the reverse ("low-to-high") sort in effect on that field. (For example, if the 
event End Time were sorted this way, older events show at the top of the list and newer events at 
the end. Similarly, a reverse sort on the Priority field would put low priority events at the top of the 
list.) 

When Sort Column is chosen on a sortable field, a "low-to-high" sort is applied first (for example, 
show events from lowest to highest priority if the Priority field is sorted). If Sort Column is selected 
again, the sort order toggles to the reverse of the previous sort (high to low priority, per our example). 
The Remove Sort option disables the sort and returns the list to its unsorted state with regard to that 
particular column. 

Multiple columns can be sorted simultaneously. The most recently applied sort will take precedence. 

See also "Applying a Field Set to an Active Channel" on page 216 and "Sorting Events in an Active 
Channel" on page 212. 


Status Monitor Events 

The status monitor events are internal ESM events that appear on the event stream. These events can 
reveal and isolate many different quantity and time-unit issues that bear directly on performance and 
capacity. There are many possible applications of this system-state data, but those applications must 
always be interpreted within the context of your particular hardware, software, and network 
environment, and the deployment choices you have made. 

Compare status monitoring events, which provide information about a wide variety of system states, to 
Audit Events, which report on system activity. 

The ESM does not provide standard content (such as filters, active channels, reports, query viewers, 
and so on) on the status monitors, but if you are interested in all /Monitor events, create an active 
channel and use the condition Device Event Category StartsWith /Monitor, or use a very 
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specific condition, for example, Device Event Category = /Monitor/Asset/TotalCount. You can 
also use the condition in a query for a report or a query viewer. 


Active Channel Statistics 

Active channel statistics, specifically any changes that occur in the counts they report, can indicate 
performance issues and the use of processing cycles. These events summarize: 

• The number of currently open Active Channels 

• The number of events inserted into Active Channels per second 

• The number of events changed across all open Active Channels per second 


Status Monitor Event Categories for Active Channels 


Device 

Event Class Audit Event 

Device Event Category ID Description Notes 

/Monitor/ActiveChannels/Open 

monitor : 100 

Open active 
channel count 

Count, current 
value 

/Monitor/ActiveChannels/Events/lnsertions 

monitor: 174 

Active channel 

event insertions 
per second 

Count per 
second, since 
last monitor 

event 

/Monitor/ActiveChannels/Events/Changes 

monitor : 175 

Active channel 
event changes 
per second 

Count per 
second, since 
last monitor 

event 


Active List Statistics 

Active list statistics monitor the resources being used by active lists. Active lists entries use some 
memory and database resources, and use CPU resources when they are referenced by other parts of 
the system (for example, rules, reports, and filters). While changes to these temporary lists are not 
persisted, they do represent some memory overhead. Note that when active lists are used by replay- 
with-rules, this also creates temporary lists. 


Status Monitor Event Categories for Active List Statistics 


Device Event Category 

Device 

Event Class 

ID 

Audit Event 
Description 

Notes 

/Monitor/ActiveLists/ListCount 

monitor : 114 

Open active list 
count 

Count, current 
value 
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Status Monitor Event Categories for Active List Statistics, continued 


Device 

Event Class Audit Event 

Device Event Category ID Description Notes 

/Monitor/ActiveLists/EntryCount 

monitor : 115 

Active list entry 
count 

Count, current 
value 

/Monitor/ActiveLists/EntryCapacity 

monitor : 116 

Active list entry 
capacity 

Count, current 
value 

/Monitor/ActiveLists/EntryPercentUsed 

monitor : 117 

Active list entry 
usage 

Percent, 
current value 

/Monitor/ActiveLists/TemporaryListCount 

monitor : 118 

Temporary 

Active list count 

Count, current 
value 

/Monitor/ActiveLists/TemporaryEntryCount 

monitor : 119 

Temporary 

Active list entry 
count 

Count, current 
value 

/Monitor/ActiveLists/TemporaryCapacity 

monitor : 120 

Temporary 

Active list 
capacity 

Count, current 
value 

/Monitor/ActiveLists/TemporaryPercentageUsed 

monitor: 121 

Temporary 

Active list 

usage 

Percent, 
current value 

/Monitor/ActiveLists/QueriesPerSecond 

monitor : 122 

Active list 
queries per 
second 

Count per 
second, since 
startup 

/Monitor/ActiveLists/ChangesPerSecond 

monitor : 123 

Active list 
changes per 
second 

Count per 
second, since 
startup 


Asset Statistics 

Asset statistics offer insight into performance areas that affect assets in the system and can help 
resolve source, destination, agent, and device asset issues for incoming events. These events 
summarize: 

• Asset resolutions per second is the average number of end-points in events, that are resolved to 
assets in a second. 

• Asset resolutions average time is the average time in milliseconds taken to resolve an end-point 
in an event to an asset. 
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• Asset scanner events per second is the number of scanner events processed in a second. 

• Asset scanner events average time is the average time in milliseconds taken to process a 
scanner event. 


Status Monitor Event Categories for Asset Statistics 


Audit 

Device Event 

Event Class Descriptio 

Device Event Category ID n Notes 

/Monitor/Asset/TotalCount 

monitor: 20 

0 

Asset total 

count 

Count, 
current value 

/Monitor/Asset/Scanner/EventsPerSecond 

monitor: 20 

1 

Scanner 

events 
processed 
per second 

Count per 
second, 
since last 

monitor event 

/Monitor/Asset/Resol utionsPerSecond 

monitor: 20 

2 

Asset 

resolutions 
per second 

Count per 
second, 
since last 
monitor event 

/Monitor/Asset/Scanner/ AverageTime 

monitor: 20 

3 

Scanner 

event 

average 

processing 

time 

Count per 
second, 
since startup 

/Monitor/Asset/Resol utionsAverageTime 

monitor: 20 

4 

Asset 

resolution 

average 

time 

Microsecond 
s per count, 
since startup 

/Monitor/Asset/Resol utionsAverageTime/Source 

monitor: 20 

5 

Asset 

source 

resolution 

average 

time 

Microsecond 
s per count, 
since startup 

/Monitor/Asset/Resol utionsAverageTime/Destinati 

on 

monitor: 20 

6 

Asset 

destination 

resolution 

average 

time 

Microsecond 
s per count, 
since startup 

/Monitor/Asset/Size 

monitor: 24 

0 

Transitive 
closure size 

Count, 
current value 


HP ESM (6.9.1c) 


Page 1051 of 1106 


ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Data Monitor Statistics 

The data monitor statistics indicate how intensively the data monitors are working, which in turn can 
indicate situations such as filters needing adjustment or data monitors needing restructuring. These 
events summarize: 

• Active probes is the number of currently enabled data monitors. 

• Evaluations per second is the number of events times the number of enabled data monitors per 
second. 


Status Monitor Event Categories for Data Monitor Statistics 


Device Event Category 

Device 

Event Class 

ID 

Audit Event 
Description 

Notes 

/Monitor/DataMonitors/ActiveProbes 

monitor : 101 

Active data 
monitor probe 
count 

Count, current 
value 

/Monitor/DataMonitors/EvaluationsPerSecond 

monitor : 124 

Data monitor 

evaluations 
per second 

Count per 
second, since 
last monitor 

event 


Event Broker Statistics 

These statistics monitor reading events from, and writing events to, the database. As such, they are 
database health indicators. These events summarize: 

• Event count is the number of events inserted into the database since the last monitor event. 

• Insert time is the average time taken to insert each event into the database, in microseconds. 

• Retrieval time is the average time taken to retrieve each event from the database in microseconds. 
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Status Monitor Event Categories for Event Broker Statistics 


Device Event Category 

Device 

Event Class Audit Event 

ID Description Notes 

/Monitor/EventBroker/lnsertTime 

monitor : 102 

Events 

insertion 
time per 
event 

Microseconds per 
count, since last 
monitor event 

/Monitor/EventBroker/lnsertedEventCount 

monitor : 103 

Events 

processed 

count 

Count, since last 
monitor event 

/Monitor/EventBroker/RetrievalTime 

monitor: 140 

Events 

retrieval time 
per event 

Microseconds per 
count, since last 
monitor event 


Filter Engine Statistics 


The count of in-memory filter evaluations can serve as a broad indicator of filter performance. 

Status Monitor Event Category for Filter Engine Statistics 


Device Event Category 

Device Event 

Class ID 

Audit Event 
Description 

Notes 

/Monitor/Filters/EvaluationCount 

monitor : 161 

Filter evaluation 

count 

Count, since last 
monitor event 


Main Flow Statistics 

These events report statistically on the overall throughput of the Manager, for both incoming and 
internal events. This flow is the sequence of processing steps applied to each event and is a broad 
indicator or benchmark of system traffic. These events summarize: 

• Count describes the number of events that have passed through the flow since the manager 
started. 

• Rate describes the current event rate in events per second. 
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Status Monitor Event Categories for Main Flow Statistics 


Device Event Category 

Device Event 

Class ID 

Audit Event 
Description 

Notes 

/Monitor/MainFlow/EPS 

monitor : 230 

Main flow event 

rate 

Count per second, since last 
monitor event 

/Monitor/MainFlow/Events 

monitor: 231 

Main flow event 

count 

Count, since startup 


Notification Statistics 

This group reports on notification activity, which can be of diagnostic value in detecting unusually high 
notifications activity. 

• New count describes the number of new notifications since the last monitor event. 

• Escalated count describes the number of notifications that were escalated since the last monitor 
event. 


Status Monitor Event Categories for Notification Statistics 


Device Event Category 

Device Event 

Class ID 

Audit Event 
Description 

Notes 

/Monitor/Notification/New 

monitor : 180 

New notification 

count 

Count, since last 
monitor event. 

/Monitor/Notification/Escalated 

monitor : 181 

Escalated 

notification count 

Count, since last 
monitor event. 


Pattern Discovery Statistics 

These events provide statistics for recent or pending pattern discovery runs. Because pattern 
discovery is database-intensive, these statistics can indicate or help diagnose database performance 
issues. 


Status Monitor Event Categories for Pattern Discovery Statistics 


Device Event Category 

Device Event 

Class ID 

Audit Event 
Description 

Notes 

/Monitor/Patterns/RunCount 

monitor : 190 

Pattern discoveries run 

count 

Count, since last 
monitor event. 

/Monitor/Patterns/RunsQueued 

monitor : 191 

Pattern discoveries 
queued count 

Count, current value. 
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Report Statistics 

These events provide statistics about the current number of reports querying the database or being 
rendered. Because reports are database-intensive, these statistics can indicate or help diagnose 
database performance issues. 


Status Monitor Event Categories for Report Statistics 


Device Event Audit Event 

Device Event Category Class ID Description Notes 

/Monitor/Reports/Running 

monitor : 130 

Reports running count 

Count, current 
value. 

/Monitor/Reports/RunningQueryingDB 

monitor : 131 

Reports querying 
database count 

Count, current 
value. 

/Monitor/Reports/RunningRendering 

monitor: 132 

Reports rendering 
count 

Count, current 
value. 


Resource Framework Statistics 

Resource-framework events report on the database activity connected with updates (reads, writes, and 
deletions) to system resources such as rules, assets, and filters, since the last monitor event. This 
data can be valuable in tracking or diagnosing performance-related issues such as automatic asset 
maintenance, the threat-level formula, or rule-driven usage. 


Status Monitor Event Categories for Resource Framework Statistics 

Device Event Audit Event 

Device Event Category Class ID Description Notes 


/Monitor/Resource/Activity/Insert 

monitor : 171 

Resources 
inserted per 
second 

Count per second, since 
last monitor event. 

/Monitor/Resource/Activity/Update 

monitor: 172 

Resources 
updated per 
second 

Count per second, since 
last monitor event. 

/Monitor/Resource/Activity/Delete 

monitor: 173 

Resources 
deleted per 
second 

Count per second, since 
last monitor event. 


Rules Engine Statistics 

The statistics related to the Manager's rules engine can help reveal performance issues in several 
areas. Remember that information about rules activity always needs to be considered in the full content 
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of the Manager's operations. For example, a busy Moving Average data monitor, if used inefficiently, 
can affect several of these statistics; a poorly written rule can inadvertently drive up the rate of actions 
executed. 

These statistics have the following performance implications 

• Count of events inserted into the rule engine: CPU. 

• Rate of event insertion into the rule engine: CPU . 

• Count of correlated events generated by the rule engine: CPU. 

• Rate of correlated event generation by the rule engine: CPU . 

• Count of events that are still present in rule engine's working memory: memory. 

• Count of groupBy cells that are being used by the rule engine: memory. 

• Count of rules currently active in the rule engine: comparative value only. 

• Rate of actions being executed by the rule engine: CPU. 

• Count of events matching any rule: CPU, memory. 

• Count of events matching a rule with single alias: CPU, memory. 

• Count of events matching a rule with multiple aliases: CPU, memory. 

• Count of events rule matches: CPU, memory. 


Status Monitor Event Categories for Rules Engine Statistics 


Device 

Event Class Audit Event 

Device Event Category ID Description Notes 

/Monitor/Rules/lnsertedEventCount 

monitor: 151 

Rules total 

event count 

Count, since 
last monitor 

event. 

/Monitor/Rules/1 nsertedEventRate 

monitor : 152 

Rules inserted 
events per 
second 

Count per 
second, since 
last monitor 

event. 

/Monitor/Rules/GeneratedEventRate 

monitor : 153 

Rules 
generated 
events per 
second 

Count per 
second, since 
last monitor 

event. 
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Status Monitor Event Categories for Rules Engine Statistics, continued 


Device 

Event Class Audit Event 

Device Event Category ID Description Notes 

/Monitor/Rules/EventsInRuleEngineMemory 

monitor : 155 

Rules in- 
memory event 
count 

Count, current 
value. 

/Monitor/Rules/GroupByCellsSize 

monitor: 156 

Rules group 
by cells size 

Count, current 
value. 

/Monitor/Rules/ActiveRulesCount 

monitor: 157 

Active rules 

count 

Count, current 
value. 

/Monitor/Rules/ActionsT akenRate 

monitor: 158 

Rules actions 

rate 

Count per 
second, since 
last monitor 

event. 

/Monitor/Rules/GeneratedEventCount 

monitor: 159 

Rules 
generated 
event count 

Count, since 
last monitor 

event. 

/Monitor/Rules/EventsMatchingAnyRule 

monitor : 232 

Events 
matching any 
rule 

Count, since 
last monitor 

event. 

/Monitor/Rules/EventsMatchingFilterRule 

monitor: 233 

Events 

matching filter 
rule 

Count, since 
last monitor 

event. 

/Monitor/Rules/EventsMatchingJoinRule 

monitor: 234 

Events 
matching join 
rule 

Count, since 
last monitor 

event. 

/Monitor/Rules/MatchCount 

monitor : 235 

Match Count 

Count, since 
last monitor 

event. 


Session List Statistics 

Session list statistics monitor the resources being used by session lists. Session lists entries use 
some memory and database resources, and use CPU resources when they are referenced by other 
parts of the system (for example, rules, reports, and filters). 
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Status Monitor Event Categories for Session List Statistics 


Device Event Category 

Device 

Event Class Audit Event 

ID Description Notes 

/Monitor/SessionLists/ListCount 

monitor : 260 

Open session list 
count 

Count, current 
value. 

/Monitor/SessionLists/EntryCount 

monitor: 261 

Session list entry 
count 

Count, current 
value. 

/Monitor/SessionLists/EntryCapacity 

monitor: 262 

Session list entry 
capacity 

Count, current 
value. 

/Monitor/SessionLists/EntryPercentUsed 

monitor: 263 

Session list entry 
usage 

Percent, current 
value. 

/Monitor/SessionLists/QueriesPerSecond 

monitor : 264 

Session list 
queries per 
second 

Count per 
second, since 
startup. 

/Monitor/SessionLists/ChangesPerSecond 

monitor: 265 

Session list 
changes per 
second 

Count per 
second, since 
startup. 


Session Management Statistics 


This statistic tracks the current number of active user sessions. 

Status Monitor Event Category for Session Management Statistics 


Device Event Category 

Device Event Class 

ID 

Audit Event 
Description 

Notes 

/Monitor/Sessions/Active/Total 

monitor : 160 

Active session count 

Count, current 
value. 


SmartConnector Flow Statistics 

SmartAgent flow statistics record the event rates that occur at different stages of agent processing. 
"Sum of" statistics are sums of all values reported by all agents connected to the Manager. All values 
are statistics over the past 1-minute range. These events summarize: 

• Received event rate is the rate at which agents receive events from devices. 

• Post filter event rate is the rate of events that passed the filter (for example, were not filtered out). 

• Post aggregation event rate is the rate of event aggregation. 
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• Agent-to-manager event rate and count describe how many events were actually sent to the 
Manager. 

• Cache size describes the estimated size of the on-disk agent event cache. 


Status Monitor Event Categories for SmartConnector Flow Statistics 


Device 

Event Class Audit Event 

Device Event Category ID Description Notes 

/Monitor/ Agents/Events/ToManager 

monitor : 104 

Agent to- 
manager event 
count 

Count, since 
startup. 

/Monitor/ Agents/EPS/ToManager 

monitor: 109 

Agent to- 
manager event 
rate 

Count per 
second, since 
last monitor 

event. 

/Monitor/ Agents/EPS/Received 

monitor : 110 

Agent received 
event rate 

Count per 
second, since 
last monitor 

event. 

/Monitor/ Agents/EPS/PostFilter 

monitor : 111 

Agent post-filter 
event rate 

Count per 
second, since 
last monitor 

event. 

/Monitor/ Agents/EPS/PostAggregation 

monitor: 112 

Agent post- 
aggregation 
event rate 

Count per 
second, since 
last monitor 

event. 

/Monitor/ Agents/CacheSize 

monitor : 113 

Estimated 
agent cache 
size 

Count, current 
value. 

/Monitor/ Agents/T otal/Events/T oManager 

monitor : 141 

Sum of agent 
to-manager 
event counts 

Count, since 
startup. 

/Monitor/ Agents/T otal/EPS/T oManager 

monitor : 146 

Sum of agent 
to-manager 
event rates 

Count per 
second, since 
last monitor 

event. 
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Status Monitor Event Categories for SmartConnector Flow Statistics, continued 


Device 

Event Class Audit Event 

Device Event Category ID Description Notes 

/Monitor/ Agents/Total/EPS/Received 

monitor: 147 

Sum of agent 
received event 

rates 

Count per 
second, since 
last monitor 

event. 

/Monitor/ Agents/Total/EPS/PostFilter 

monitor : 148 

Sum of agent 
post-filter event 
rates 

Count per 
second, since 
last monitor 

event. 

/Monitor/ Agents/Total/EPS/PostAggregation 

monitor: 149 

Sum of agent 
post- 
aggregation 
event rates 

Count per 
second, since 
last monitor 

event. 

/Monitor/ Agents/Total/CacheSize 

monitor: 150 

Sum of 

estimated agent 
cache sizes 

Count, current 
value. 


Threat 

The means by which the potential of a threat connector to adversely affect an automated system, 
facility, or operation, can be manifest. A potential violation of security. 


Threat Evaluation 

The Manager incorporates a system of security-threat evaluation that culminates in the Priority field 
you often see in views, reports, or event details. The Priority field uses a scale of 0-10 to rate incoming 
"Events", with 10 being the most-significant value. Naturally, you use Priority field Threat -evaluation 
values as a factor in many types of analyses and Rules'-driven reaction or "Notifications" scenarios. 


Evaluation Process 

Threat evaluation is "always on" and applies to all the events received by the Manager. The evaluation 
process consists of: 
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1 . Identify the targeted asset. 

The identification process uses (in this order) the Target Address, Target Host Name, Target MAC 
Address, or relevant asset address range to classify the targeted asset. 

2. Identify the targeted vulnerabilities. 

Using the targeted asset as a key, the Manager looks up applicable vulnerabilities. 

3. Match the targeted vulnerabilities with the vulnerabilities of the targeted asset. 

When matches occur, one is chosen and placed in the Event Vulnerability field. 

4. Compute the event's threat-priority value. 

It is at this point that ESM performs the computation involving model confidence, relevance, 
criticality and severity (in this specific order), as described further in the next section. 


Evaluation Definitions 

The Priority field is a calculated value. It uses a formula that processes the contents of certain 
"Prioritization Fields" that help assess the potential security impact of an event. These fields use 
information about specific Assets and "Vulnerabilities" to establish models, and a confidence factor 
concerning the appropriateness of those models. Given confidence about a particular 
asset/vulnerability model, events directed at that asset can then be evaluated against a combination of 
factors that include relevance, criticality, and severity. 

An event has relevance as a threat if it contains an "Attack 1 signature that is genuinely applicable to 
the targeted "Device", and the device is in a posture that would permit a successful attack. For 
example, is the event aimed at a valid port, and when the port was checked, was it open? 

An asset's degree of criticality is based on the way it serves your enterprise, as seen from the 
perspective of the network's asset categories. For example, a server could be categorized among your 
"Very High Criticality Assets" because it handles customer financial transactions. 

An event has severity if the targeted device is of a more sensitive type that is known to be subject to 
compromise, and the source of the event has been identified as a hostile or suspicious entity. 
Specifically, this is the value found in the Device Severity field. For example, did the event originate 
from an arch competitor on your Hostile List and was it aimed at a router on your Compromised List? 

These three factors, when enabled by a suitable model confidence value, are averaged to produce the 
value that appears in the Priority field. If a suitable model confidence value isn't present, then severity 
and criticality are averaged to produce a value for Priority. The exploited vulnerability is also recorded in 
the event's vulnerability field. (See ’ Investigating Views" on page 223.) 

The exact numeric weight applied to each possible relevance, severity, or criticality state (such as 
unknown, low, medium, high, very high) is set through a configuration file named 
ThreatLevelFormula.xml. This file is usually configured prior to deployment, using your enterprise 
policies to guide relative value choices. 
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Maintaining Model Confidence 

The asset/vulnerability model confidence for various network devices is based on correlations between 
the asset and vulnerability resources you can see in the resource trees of the ArcSight Console's 
Navigator panel. Fresh vulnerability information that correlates well with a particular asset's 
identification results in greater model confidence. 

Stated more directly, the model is the sum of the resources that describe the protected and external 
networks: assets, asset ranges, asset categories, network zones, and certain active lists. 

While asset and vulnerability information can be updated manually, it is more practical to refresh this 
information by automated means such as vulnerability scanners. (See "Managing Vulnerabilities" on 
page 128.) ESM can automatically import vulnerability information from certain scanner products. 
Information drawn successively from the same scanner product is overwritten when duplicative; 
information from different products is additive. Information about new assets or vulnerabilities 
generates new resource references, and the Manager automatically matches the new references to 
their opposites, whether new or old. 

Note: You can update asset resources in bulk using XML files. 


Using Threat Evaluation Information 

While the Priority field has many obvious uses, starting with simply sorting the events in grid views, 
there are other ways to put this and its underlying information to work. 

Rules, reports, filters, and any place you can apply logic can use the threat-evaluation operators 
described in "Priority Calculations and Ratings" on page 1010. You can also use the values described 
in "Prioritization Fields" on page 1009 to perform many threat-related functions. 


Limitations and Workarounds 

Because it is dependent upon a certain amount and type of event data, threat evaluation can be 

inhibited by thefoilowing factors: 

• A correlation event, produced by a rule or a data monitor, may not be populated with enough 
information. Only fields used to 'group by' will be populated in correlated events. Without enough 
information (such as targeted asset or severity) the threat evaluation will not be able to make a 
sound decision on the event's priority. 

• Over-population of correlated events can also inhibit results. Some rules are only used to maintain 
active lists. These rules do not generate useful new information, but the "group by" they need to use 
in order to collect the information for an active list may give them the appearance of a seriously 
offensive event. 
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• Rules offer the option to set your own priority. If a rule populates the priority attribute, then a threat 
model component will not change that value. 

To compensate, you can use these techniques: 

• Use the Priority field's value to control when you do and don't notify. 

• If a rule is inferring some new piece of information (such as the classic Brute Force Login Attempt), 
then make sure that you "group by" sufficient information to be able to characterize the threat later. 
In the BFLA case, that would mean using the source and target addresses from the base events 
and setting the severity attribute to, for example, "Low"; the BFL Success rule, on the other hand, 
would set severity to "Very High". 

• If the rule is a bookkeeping rule, try to copy as little information forward as you can, set the severity 
to low, and set the category to "/informational". 


Thresholds 

There are two types of thresholds: rule thresholds and event thresholds. 

A rule threshold is the point at which a rule is triggered and a correlation event generated. 

An event threshold is the number of times the event must occur before triggering the rule threshold. 

A rule can have a threshold that states when the rule is triggered and also specify a threshold for each 
rule event. For example, thresholds can be created so that a rule is triggered only after all the events in 
the rule have occurred a set number of times. 

See also "Rules" on page 1029. See also "Events" on page 989 and "Event Categorization" on 
page 990 for information related to events. 


Time Error Correction 

In the context of the ArcSight Console"ArcSight Console" , time error correction means the 
synchronization of time between a network "Device", its SmartConnector, and the Manager. 

See also "SmartConnectors" on page 1044. 


Timestamps 

Because timestamps are a key element in network security analysis, it is important to clarify the 
location, source, and context of the timestamps. 

All timestamps are stored as Coordinated Universal Time (UTC) times. 

The ArcSight Console presents timestamps in the local time zone of the host computer using the Java 
Locale facility. 
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Log timestamps are produced by the local JVM for that component and are written using the Java 
Locale facility. 

Timestamps are kept in epoch time, an integer value representing the number of seconds since 
January 1 , 1970 , at 00 : 00:01 (UTC). Timestamps cannot be earlier than that date/time. The largest 
integer (number of seconds) that can be stored for this value limits the timestamp range to January 19, 
2038 at 03 : 14:07 (UTC). No timestamps can be after that date/time. 

See also "Timestamp Variables" on the next page. 


Timestamps for Security Events 

Multiple timestamps are applied to events in the course of processing. 


Timestamps 
for Events 

Context 

Device 

Receipt Time 

The timestamp applied by the source sensor device upon receipt of the event. 

Connector 
Receipt Time 

The timestamp applied by the SmartConnector's JVM (Java Virtual Machine) when 
the event is received from the originating sensor device. 

Manager 
Receipt Time 

The timestamp applied by the Manager's JVM (Java Virtual Machine) when the 
event is received from the SmartConnector. 

Start Time 

The time at which the event actually began, as recorded by the source sensor 
device or, possibly, a secondary source monitored by that device. 

End Time 

The time at which the event actually ended, as recorded by the source sensor 
device or, possibly, a secondary source monitored by that device. 


Timestamps for Resources 

Timestamps are applied to the resources you see in the Navigator panel. 


Timestamps for 
Resources 

Context 

Resource Created 

This timestamp is applied by the Manager's JVM (Java Virtual Machine) 
when a resource is created. 

Resource Modified 

This timestamp is applied by the Manager's JVM (Java Virtual Machine) 
when a resource is changed. 
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Timestamp Variables 

For date and time data fields, such as Detect Time, you can type an actual date value, such as 
10/12/2002 8:54:00 AM, or can use special system variables such as: 

• $CurrentDateT ime: for the date and time the report is run; the system variable is replaced by the 
current date and time value. 

• $CurrentDate: for the date the report is run; the system variable is replaced with the date value, 
truncating the time of the day to 0, when the report is scheduled or run. 

You can also specify certain date operations with these system variables to add or subtract a number 
of specified days or hours. For example, you could type: $CurrentDate - 7d for seven days before 
the date the report is run, the condition evaluates to a date which is the current date minus seven days, 
or$CurrentDateTime - 12h, which evaluates to the current date time minus 12 hours. Do not create 
an operation that will result in a time stamp that is out of range (the range is January 1,1970, at 00:00:01 
through January 19, 2038 at 03:14:07, UTC), oryou will get an error. 

The time and date editing window you access through the Detect Time and Detect Time Offset fields 
of the ArcSight Console's Report Editor can accept month (uppercase M), minute (lowercase m), and 
current week (uppercase W) parameters. 

Use spaces to separate these special system variables or parameters from other operators when 
including them in a condition statement. 

See also "Variables" on page 1069 and the subtopic on "Timestamp Functions" on page 1081. 


Inclusive Timestamps 

The Detect Time timestamps reported for correlated events include the timestamps of the base 
events that initiated them. The timestamp is that of the most recent base event in the series of base 
events that caused the correlated event. 

For example, an event's Detect Time field in the Event Inspector might now show 22 Sep 2003 
18:18:24 PDT instead of 22 Sep 2003 16:10:29 PDT, with the difference being that the earlier 
timestamp represents the last base event rather than a later correlated event. 

This refinement helps you interpret correlated events more readily, without the need to trace back 
through detailed rule chains. 

Note: You can also inspect the Connector Time parameter to find out just when a rule triggered 
(the time that was recorded as the Detect Time in prior releases.) 
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Time Zone Correction 

The correction of a local time zone is the number of hours of offset to apply in order to adjust local time 
to another clock (often UTC or GMT) to synchronize device-time queries, correlation, and filters. 


T rends 

A trend is a resource that defines how and over what time period data will be aggregated and evaluated 
for trends. A trend executes a specified query on a defined schedule and time duration. 

Building trends is a component of Reporting resource tools. Be sure to see Building Reports" on 
page 371 for an overview of all reporting tasks and tools, and "Understanding the Reporting Workflow" 
on page 371 to see how Trends fit in to the process of creating a report. 


Understanding Trends and Queries 

A base trend is made up of one query. T rends can be used as the primary data source for a report. Or, a 
trend (based on one query) can be used as the data source to another query (a trend query) that further 
refines the initial query result. A collection of trend queries (queries that use trends as their data source) 
can provide focused views of a data set which can then be fed into a single report or multiple reports. 

The system evaluates source data for trends based on event conditions (such as number of worm 
outbreaks, incident time-to-close, or number of cases closed) or common network elements (such as 
operating system, business role, or regulatory compliance relevance). 

This provides a means of querying not just the current model of the network but to build reports on 
queries of historical data, scheduled queries, and snapshot trends. Using queries in trends allows you 
to evaluate, for example, trending statistics on vulnerabilities and incident metrics overtime to 
determine whether your vulnerability posture or incident closing rate is getting better or worse. 

The generic trend reporting and a set of specific reports show trends on current data. For example, you 
can evaluate trends by operating system, by role, by compliance requirement, time to close on cases, 
and number closed. 

You can provide a trend on a selected period of time, and pull reports that generate aggregated data. 
Trends can include case metrics such as time to close, open and time open, number closed, which 
allows for trending reports on incidents. 

For more information, see "Query-Trend Relationships in Reporting" on page 428 in "Building Trends" 
on page 427. 


Building Trends 

You can access trends and associated editors in the Reports resource in the ArcSight Console. 
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See 'Building a Trend" on page 429 for information on how to navigate to and use the Trend Editor for 
"Defining Trend Settings". 


User Groups 

User groups are named and organized collections of "Users". You can create groups based on 
departments, permission levels, work shifts, or whatever structure best supports your enterprise. 

All users within a group inherit the group's permissions. If permissions are given to or taken from a 
group, all users within that group gain or lose those permissions. When users belong to more than one 
group, they receives permissions from all their groups. For example, if a user is in a group that has 
inspect permissions to all rules and is in another group with inspect permissions to all reports, the user 
will be able to inspect both rules and reports. 

The following pre-defined groups help you manage your users: 

• Users: Lists the current logged-in user and grants permission to inspect and edit their own 
information. 

• Shared: Lists groups and users that the logged in user has permissions to. 

• All Users: Lists all groups and users, only Administrators have permission to this group. 

Groups created from the All Users group inherit permissions to only a few resources. You can either 
edit the group ACL to add or remove permissions or create groups beneath one of the pre-existing 
groups to inherit a pre-configured set of permissions. 

• Default User Groups: Lists groups and users with default permissions to all resources. For more 
information on resources, see "Editing Access Control Lists (ACLs)" on page 189. 

• Administrators: Lists groups and users with full rights and access to manage all groups and users 


Note: Do not delete the Administrators group. It grants administrative access. The 
Administrators group contains at least one user account. This user account is created during 
installation. 


• Live Rules Editors: Lists groups and users with permissions to inspect and edit rules 

• Reports Editors: Lists groups and user with permissions to inspect and edit reports 

• Unassigned: Lists users who do not belong to a group 


Users 

Users are individuals who are assigned login names, passwords, and privileges to access and perform 
operations using the ArcSight Console or Command Center. For details on using the ArcSight Console 
for various tasks on dealing with users as an administrator, see Managing Resources" on page 670. 
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You manage users by storing user information, setting passwords, enabling or disabling login 
functionality, and organizing them into groups. When you create a new user account, a temporary 
password must be created for the user to login to the ArcSight Console. The user should change their 
password during their initial session. For more information on changing passwords, see 'Changing 
Your Password" on page 78. If you are an administrator, also refer to "Changing Other Users' 
Passwords" on page 78. 

As an added security feature, user logins can be disabled. This feature may be used when the user is 
on an extended leave of absence, if the user ID and password have been compromised, orforany 
reason the user ID and password should not be used to access the ArcSight Console. 

When users are deleted, they are removed from the Users resource tree but not from the database. The 
deleted user ID is stored in the database for future offline processing and user activity auditing. If the 
user belongs to more than one group, the user account is deleted from all groups automatically. 


User Types 

User accounts serve several purposes. To enable giving all users only the minimum set of privileges 
that are needed for them to fulfill their duties, user accounts have a "user type." The user type 
specifies, at a high level, which features a user may access. This mechanism is complementary but 
does not replace permissions specified by access control lists (ACLs), which allow administrators to 
control access to resources such as assets, rules, and filters. User types are used primarily to control 
access to Manager services such as archiving and other management tools. See "Managing Users" on 
page 180. 

Most often, user types are used to limit the risk resulting from the fact that user name and password 
combinations are stored on disk for components that require unattended startup but have to 
authenticate to the Manager. For example, the Forwarding Connector needs to authenticate to the 
Manager in order to obtain events, but does not need access to any of the resource management 
functionality provided by archive and other management tools. 

The currently supported user types are: 

• Normal User: Has full privileges to use the Command Centerand ArcSight Console, and all tools. 
Only apply this user type to accounts that actually need access to the ArcSight Manager. 

• Management Tool: Has only the privileges needed to run certain management tools used in 
conjunction with network management products. 

• Forwarding Connector: Has only the privileges needed by the Forwarding Connector. 

• Archive Utility: Has only the privileges needed to run the archive utility. Access to specific 
resources is controlled through ACLs. 

• Connector Installer: A specialized identity used only to add SmartConnectors to the system. 

• Web User: Has privileges to use the Command Center only, not the ArcSight Console. 

Unassigned users are those that do not belong to a group. 
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Variables 

Variables are used to derive values from events, assets, and other resources (for example, a target IP 
address in an attack event, the MAC address or zone of a vulnerable asset, the timestamps on a user 
login session, entries in a hot list, and so forth). 

You can use variables to create and tune"Active Channels", "Filters", "Reports", "Rules", "Field Sets", 
and Data Monitors", or to expose more information, such as in report or grid view columns. The editors 
for these tools each include a Variables tab on which to add, edit, or remove variables. 

Once created, variables appear in the"Common Conditions Editor (CCE)" as additional fields on the 
Filters or Conditions tabs; in Group By arguments for data monitors and rules; and in Select, Group 
By, and Order By fields for queries. In the Field Set Editor, variables are an additional category that 
appears once variables are defined. 

Variables are especially useful for situational-awareness applications such as reporting on attacks by 
division, or for compliance monitoring as in reporting the number of compromise events directed at 
Sarbanes-Oxley related devices. 

Asset-category variables are based on the relevant resource ID of the modeled network asset (device). 
Timestamp variables are based on the start, end, or receipt times recorded by SmartConnectors, 
Managers, or devices. 


About Functions 

Functions configured for variables let you perform various operations on the derived values. To access 
event fields for use in variable functions , you either use the pick lists provided in the local or global 
variable dialogs or, in some cases, employ velocity expressions (templates) in statements. (See 
"Velocity Templates" on page 1093 for an explanation of how to construct velocity expressions.) 

When you click Add in a Variables tab, the Add Variable dialog box can present several fields, 
depending on the function to be used. All field values can be edited later except the choice of function. 
To change a Variable from one function to another, create a new Variable and delete the old Variable. 

The Add Variable dialog includes the option to preview (or calculate) the results for some variable 
functions, given test values that you specify. 

Note: Previewing the result of your variable definition 

• The Preview (or Calculate) feature on the Add Variable dialog is supported for some but not all 
variable functions. For example, functions for list data types such as GetSizeOf List and 
GetListElement do not support the Preview feature. 

. There is noway to specify a NULL value for Preview input to a Variable function. The Preview 
assumes that a blank field for an input is an empty String. Therefore, you cannot use Preview 
on the Variable dialog to test inputs fora parameter with NULL values. 


See also "Variable Definition Fields" on page 1071. 
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About Remote Variables 

Variables using Group, List, and Category Model functions are evaluated and processed on the 
Manager, not directly on the ArcSight Console, and are referred to as remote variables. 

These remote variables are evaluated only once on the ArcSight Console for any given event or 
resource. Therefore, the value of the variable on the ArcSight Console will not change if the underlying 
data is modified that would result in a different value for the variable. New events in events channels 
and resources in resource channels will evaluate the variable again, and you will see the updated value. 

Because not all variables can be calculated on the ArcSight Console, there may be a delay in returning 
values from variables calculated remotely on the Manager. 

Note: Variables do increase processing overhead and can affect report-generation performance. 
Consider the performance sensitivity of a report before adding variables. 


Local and Global Variables 

Variables you create in resources on the Local Variables tab of a resource editor are local to the 
resource for which you create them. For example, if you create a local variable in a query to get an 
active list value, that variable is available only to that query; not in other queries, rules, or filters. 
Queries themselves are available for use in trends, reports, and query viewers, but the local variables 
used to build them are not. 

You can create global variables on field groups that are available across resources. The general 
information provided in this reference topic on variables, variable fields, and functions applies to both 
local and global variables. The main difference is that global variables are available across resources 
whereas local variables are not. 

To create a local variable, click the Variables tab in a resource (for example, "Active Channels", 
"Filters", "Queries", "Rules"), name it, choose a function and provide arguments as needed. 

To create a global variable, navigate to Field Sets, click the Fields & Global Variables tab, and use 
the Global Variables editor to select a function and parameters (as described in "Global Variables" on 
page 555). 

Both local and global variables give you access to the same functions. All available functions are 
described in detail in "Variable Definition Fields" on the next page. 


HP ESM (6.9.1c) 


Page 1070 of 1106 



ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Function: 223 


Categories 

Functions 

Alias 

Concatenate 

Arithmetic 

ConcatenateThree 

Category Model 

EvaluateVelocityTemplate 

Condition 

IndexOf 

Group 

LastlndexOf 

IP Address 

LengthOf 

List 

Substring 


ToLower 

Timestamp 

ToUpper 

Type Conversion 


Value List 



OK 


Cancel 


For more information on local variables, refer to the topics on editing any particular resource (Filters, 
Rules, Queries for Reports or 'Query Viewers", and so forth). 

For more information on global variables and field sets, see "Global Variables" on page 555 and "Field 
Sets" on page 546. 


Variable Definition Fields 


A variable has a name, a function associated with the variable, and one or more arguments. 


Field Description 

Name 

A meaningful name for the variable that is unique to the associated resource. 

Variable names must start with a letter, and can contain letters, numbers, underscores, 
and spaces. T railing spaces at the end of a variable name will be removed. 

Special characters, other than those mentioned above, are not allowed. 
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Field 

Description 

Function 

Functions are grouped into the following types: 

• "Alias Functions" below 

• "Arithmetic Functions" on the next page 

• "Category Model Function" on page 1075 

• "Condition Functions" on page 1076 

. "Group Functions" on page 1 077 

• "IP Address Functions" on page 1079 

• "List Functions" on page 1079 

. "String Functions" on page 1080 

• "Timestamp Functions" on page 1081 

• "Type Conversion Functions" on page 1 085 

• "Value List Functions" on page 1089 

Each variable implements a single function. Functions are grouped into types as 
described in "Variable Definition Fields". 

Arguments 

The contents of the Arguments section vary based on the Function selected. 

Functions require one, two, or three data fields as input arguments. 

The event data field list is filtered to show only fields of the required argument type. For 
example, the GetMonth function requires a single argument of type timestamp, so the 
list only shows timestamp-related fields: Agent Receipt Time, Device Custom Date 1, 
Device Custom Date 2, Device Receipt Time, End Time, Event Annotation 

Modification Time, and so on. 


Alias Functions 


Alias 

Function 

Description 

AliasField 

Creates an alias (alternate name) for the specified field. 

Provide the alias name you want to use, and select a field from the drop-down list 
under Arguments. 
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Arithmetic Functions 

The following table describes arithmetic functions. The binary arithmetic functions like Add, Subtract, 
and Multiply return a result type that is the higher resolution type of the two parameters. For example, 
Add(Integer, Long) will return Long. Multiply(Integer, Double) will return Double. The Divide 
function always returns Double. 


Arithmetic Functions 


Function Description 

Absolute 

Returns the absolute value (its numerical value without regard to its sign) of the 
numeric argument. The argument may be integer, long integer, or double. 

Add 

Returns the result of adding the two numeric arguments together. The arguments 
may be integer, long integer, or double types. 

Ceil 

Returns the smallest integer value that is not less than the numeric argument. The 
argument may be integer, long integer, or double. 

Divide 

Returns the result of dividing the first numeric argument by the second numeric 
argument. The arguments may be integer, long integer, or double types, but the 
second argument may not evaluate to 0. 

Floor 

Returns the largest integer value that is not greater than the numeric argument. The 
argument may be integer, long integer, or double. 
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Arithmetic Functions, continued 


Function 

Description 

Java 

Mathematical 

Expressions 

Returns the result of the evaluation of the specified Java expression. Java 
Mathematical Expressions are for advanced users. 

ESM does not provide error checking and messaging for your JEP expressions. 

Refer to the Java Math Expressions Parser web pages at 

http://www.singularsys.com/jep/ for more information on writing these expressions. 

Supported Expressions: ESM supports a subset of Java mathematical 
expressions (JEP), which are written like standard mathematical expressions. A 

JEP expression has three components: operator, function, and value. 

• Operator - Examples of operators are + - / * 

JEP operators are documented in the table on this Web site: 
http://www.singularsys.com/jep/doc/html/operators.html 

• Function - See http://www.singularsys.com/jep/doc/html/functions.html ESM 
supports the following functions, which are a subset of functions described in 
http://www.singularsys.com/jep/doc/html/functions.html. 

Supported Trigonometric Functions: 

sin(x) cos(x) asin(x) 

acos(x) atan(x) atan2(y, x) 

sinh(x) cosh(x) tanh(x) 

asinh(x) acosh(x) atanh(x) 

Supported Logarithmic and Exponential Functions: 

ln(x) log(x) exp(x) 

Miscellaneous Supported Functions: 

abs(x) rand() 

mod(x,y)= x % y sqrt(x) 

. Value -The values are either constants of numeric typeorfields, which are 
referenced by the camelCase notation, such as bytesln. 

For information on how to reference fields, refer to the "Script Alias" names in 

"Data Fields" on page 885. 

Example 

The expression "(bytesIn A 2)/1000" squares the bytesln value of an event and 
divides the result by 1000. 
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Arithmetic Functions, continued 


Function 

Description 

Notes: 

. All JEP functions return a Double. 

. Unlike velocity references, JEP expressions do not use "$" in front of (ArcField) 

"Data Fields" on page 885. 

. Do not include mathematical operators or JME function names in a variable 
name. If you do, the JME parser interprets them as operators and returns 
unexpected results. Variable names that match JME function names such as 
sqrt cause similar problems. 

• Some expressions may not be valid and do not produce results. Do not use them 
in queries or active channels, and filters that use them cannot be used in queries 
or active channels. 

• JME variables are held only in memory and so, can be used only in Rules, Filters, 
and Data Monitors. They cannot be used in resources like Reports, which rely on 
persisted data. (There is a set of velocity references specifically for use in 

Reports. See "Velocity References for Reports" on page 1097 for more 
information.) 

. This function is held in memory, therefore you can only use it in Rules, Filters, 
and Data Monitors. You cannot use the function in resources like Queries and 
Reports, and other resources that rely on persisted data. 

Multiply 

Returns the product of multiplying the two numeric arguments together. The 
arguments may be integer, long integer, or double types. 

Round 

Returns the closest integer to the numeric argument. The argument must be a 
double. 

Subtract 

Returns the result of subtracting the second numeric argument from the first numeric 
argument. The arguments may be integer, long integer, or double types. 


Category Model Function 

This function applies to Actors, a separately-licensed feature 
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Category 

Model 

Function 

Description 

HasRelationship 

Tests whether two actors, or an actor and a group, have the specified relationship 
based on a given Category Model. 


Category Model: Select an existing category model 


Parent Field or Group: Select a field or single-value variable you want to use as 
the parent. Use the Field/Group drop-down to indicate whether the parent is afield 
(single attribute) or a group. 


Child Field or Group: Select the field or single-value variable you want to use 
as the child. 


Inherit All Related Actors: Select true to include all the actors in the selected 
group and its children. Select false to include only the actors in the selected 
group. 


Condition Functions 


Condition 

Functions 

Description 

ConditionalEvaluation 

The ConditionalEvaluation function takes three arguments: a filter that acts 
as the conditional expression, a value to return if the expression evaluates 
to True, and a value to return if the expression evaluates to False. The filter 
must be an existing Filters resource. 
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Condition 

Functions Description 


CustomConditional The CustomConditionalEvaluation function takes three arguments: a local 
Evaluation filter (not defined in the Filters resource) that acts as the conditional 

expression, a value to return if the conditions evaluate to True, and a value 
to return if the conditions evaluate to False. You enter the filter statement in 
the text field. 


You create and edit local filter conditions through the Common Conditions 
Editor or Global Variables Selector. 


Attributes | Parameters Local Variables | Notes 

Function: CustomConditionalEvaluation ▼ 


Return one of two values based on the outcome of the condition 


Arguments 


Filter 

( Name Is "NOT&nbspjNULL* And Attacker Address ! = *1 
.1.1.1* ) 




i Edt 


If True 

That's correct 

String 

▼J 

Else 

Sorry try again 

String 

▼ 



ReplaceNull 


The ReplaceNull function takes two arguments: a value to return from a test 
field, and if the value is Null, a replacement value to return from another 
field. Both test and replacement fields must be of the same type. You can 
also set the replacement to a constant value. For example, for a String field, 
the replacement value can be something like Match found. 


Group Functions 

There are two general types of Group functions: FormatGroups and GetGroups. 

The FormatGroups functions, FormatGroupsOfAssets and FormatGroupsOfNetworkZone, return a 
human-readable list of asset-category URIs unexclusively, meaning that all matching and related 
categories are included. These variable functions mainly format and display asset category-groups. 
They are best used with the contents of fieldsets, reports, and data monitor fields. Avoid using the 
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FormatGroups functions in conditions because result order cannot be assured for multiple-item groups 
instead, use the GetGroups functions for ordering and consistency. 


Group Functions 

Description 

FormatGroupsOfAsset 

Formats the presentation of one or more matching asset category or 
asset group. The results are unordered. 

More Options on the Global Variable Editor’s Parameters tab: 

If Anchor Point is start or base, the Offset is the number of elements 
to move from the anchor point when formatting the matched category 
URI. If Anchor Point is end, the Offset is the number of elements to 
move to the left. For example, ifAssetl is classified as All 
Assets/Location/USA/CA/Cupertino, the corresponding offset 
formats would be: 

USA = offset from Anchor Point by 0 

CA = offset from Anchor Point by 1 

Cupertino = offset from Anchor Point by 2 

For MaxCount, specify the maximum number of categories to return. If 
the specified number is less than the number of matching categories, 
the returned categories are chosen at random. A Max Count of 0 
means you want all categories returned. 

FormatGroupsOfNetwork 

Zone 

Formats one or more matching network zone group or asset category 
group. The results are unordered. 

See FormatGroupsOfAssets description for More Options. 

GetGroupOfAsset 

Returns a single Asset Category or Asset Category Group, given a 

Base Field and Base Group. If there is more than one matching 
category or group, a single URI is chosen at random. Related 
categories are not included. Output is optimized for correlation 
operations. 

Note: The GetGroups (plural Groups) functions return lists of asset 
categories, therefore their results cannot be used in inGroup 
conditions. This GetGroup (singular Group) function makes it possible 
to select one result at random, provided the variable is defined to 
produce a single result. 

GetGroupOfNetworkZone 

Returns a single zone category. If multiple matches occur, a single 

URI is chosen at random. Related categories are not included. 

Note: The GetGroups (plural Groups) functions return lists of zones, 
therefore their results cannot be used in inGroup conditions. This 
GetGroup (singular Group) function makes it possible to select one 
result at random, provided the variable is defined to produce a single 
result. 
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Group Functions Description 

GetG roups Of As set 

Returns a list of Asset Categories or Asset Category Groups, given a 
Base Field and Base Group. In rule and data monitor aggregations this 
should produce multiple sets. In reports, this produces a coma- 
separated list of asset-category names. No related categories are 
excluded. Output is optimized for correlation operations. This function 
complements the FormatGroups functions. It simply shows XML 
representations of asset categories. Use this function in conditions and 
in Group By elements of rules or reports because its output is both 
well-ordered and consistent. 

GetGroupsOfNetworkZone 

Returns a list of Network Zone Groups or Asset Category Groups, 
given a Base Field and Base Group. This function complements the 
FormatGroups functions. It simply shows XML representations of 
group resources. Use this function in conditions and in Group By 
elements of rules or reports because its output is both well-ordered and 
consistent. 


IP Address Functions 


IP Address 

Function 

Description 

ParselP Address 

Applies to IPv4 addresses. 

Returns an integer from 0 to 255 to represent the value of one octet of the 
specified IPv4 address. For example, ParseAddress(192.0.2.27, 1) returns 

192. ParseAddress(192.0.2.27, 4) returns 27. 


List Functions 

Caution: Make sure you are getting values from case-sensitive lists only. Getting values from 
case-insensitive lists will negatively affect performance. 


List Functions Description 

GetActiveListValue 

Returns the value associated with a specific field of the specified Active List. 

GetSessionData 

Returns the value associated with a specific field of the specified Session List. 

Use this function for event and non-event schemas (any resource schema like 
actors, trends, cases, and so on), and specify the time at which the session is 
evaluated using either a time field, a constant time, or a dynamic time. 
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String Functions 


String Functions 

Description 

Concatenate 

Returns the string result of joining the two string arguments. For 
example, Concatenate("Arc", "Sight") returns ArcSight. 

When a rule using this function fires and your string values have 
beginning or trailing spaces, the spaces are dropped, even if the 
preview during function definition or export to XML displays the space. 

If you want to enforce a space, use ConcatenateThree (described 
next). 

Note: This function is held in memory, therefore you can only use it in 
Rules, Filters, and Data Monitors. You cannot use the function in 
resources like Queries and Reports, and other resources that rely on 
persisted data. 

ConcatenateThree 

Returns the string result of joining the three string arguments. 

Forexample, Concatenate("ArcSight", "Command", "Center") 
returns ArcSightCommandCenter. 

Note: This function is held in memory, therefore you can only use it in 
Rules, Filters, and Data Monitors. You cannot use the function in 
resources like Queries and Reports, and other resources that rely on 
persisted data. 

EvaluateVelocityTemplate 

For advanced users with thorough understanding of velocity templates. 
Evaluates the velocity template argument and returns the result. This 
function is not available in a Query or Active Channel, and Filters that 
use this function cannot be used in a Query or Active Channel. For 
information on how to use Velocity Templates in ESM, see "Velocity 
Templates" on page 1093. 

Note: This function is held in memory, therefore you can only use it in 
Rules, Filters, and Data Monitors. You cannot use the function in 
resources like Queries and Reports, and other resources that rely on 
persisted data. 

Index Of 

Returns the integer offset into the first string argument that is the 
location of the second string argument. For example, IndexOf ("Twas 
the night before Christmas", "night") returns 9. If the second 
string argument is not found in the first string argument, IndexOf returns 
-1. 
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String Functions 

Description 

Last Index Of 

Returns the index (position) of the last (rightmost) occurrence of the 
second argument (the substring) within the first string argument (the 
source). If the substring is not found in the source, the function returns - 
1. The first position is index 0, as in the indexOf function. 

Examples: 

lastlndexOf ("abc/def/xyz, "/") returns 7 

lastlndexOf ("abc/def/xyz", "abc") returns 0 

lastlndexOf ("abc/def/xyz", "klm") returns -1 

LengthOf 

Returns the number of characters in the string argument. For example, 
LengthOf ("Twas the night before Christmas") returns 31. 
LengthOf("") returns 0. 

Substring 

Returns a portion of the first string argument, starting with the position 
specified in the second, numeric, argument and including the ending 
position as the sum of the number of characters and the starting 
position, specified in the third, numeric, argument. For example, 
Substring("Twas the night", 5, 8) returns "the". 

ToLower 

Returns the string argument converted to all lowercase. For example, 
ToLower("Inline Filter") returns "inline filter". Numbers and 
other non-alphabetic characters are not affected. 

ToUpper 

Returns the string argument converted to all uppercase. For example, 
ToUpper("Inline Filter") returns "INLINE FILTER". Numbers and 
other non-alphabetic characters are not affected. 


Timestamp Functions 

ESM applies timezones according to the component, shown below: 


Time Zone 

Description 

Defaut Time Zone 

The Manager time zone 

Agent Time Zone 

The time zone of the Connector which sent the event 

Original Agent Time 
Zone 

The time zone of the first Connector in a possible chain of connectors which 
sent the event 

Device Time Zone 

The time zone of the originally-reporting device 

Final Device Time 

Zone 

The time zone of the device which reported to the original Connector 


HP ESM (6.9.1c) 


Page 1081 of 1106 


ArcSight Console User's Guide 
Chapter 29: Reference Guide 


Caution: Discrepancies in values returned by Timestamp functions 

With certain resources, you might observe some discrepancy in values returned by Timestamp 
functions and End Time if ArcSight Manager and ArcSight Console are in different timezones. 
Following are the scenarios where the discrepancy occurs: 

• For query viewers and data monitors, a Timestamp function (for example, GetDayOfWeek) 
gets the value from the Manager’s timezone, and End Time gets the value from the Console’s 
timezone. 

• For reports, End Time values and values returned by TimeStamp functions are consistent with 
the Manager’s timezone. 

. For active channels, End Time values and values returned by TimeStamp functions are 
consistent with the Console’s timezone. 


TimeStamp Functions 

Description 

GetCurrentTime 

Returns the current time in the format DD Mo 
YYYYhh:mm:ss TIMEZONE, for example 

25 Jun 2014 14:05:18 PDT 

The returned time is based on the client time. 

GetDayOfMonth 

Returns an integer from 1 to 31 to represent the day 
of the month, based on the selected timestamp 

GetDayOfWeek 

Returns an integer from 0 to 6 (0 is Sunday) to 
represent the day of the week, based on the 
selected timestamp. The associated day of the 
week (for example "Sunday") is displayed on the 
ArcSight Console. 

You can test the value returned by this function 
using numeric operations like > , < ,>=,<=,= . 

For example, for a variable called "day" that 
contains the value returned by the GetDayofWeek 
function, you can create an AND logical operator 
that checks for a weekday with these conditions: 

• day >= Monday 

• day <= Friday 

GetDayOfYear 

Returns an integer from 1 to 366 to represent the 
day of the year, based on the selected timestamp. 

GetHour 

Returns an integer from 0 to 23 to represent the 
hour of the day, based on the selected timestamp. 
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TimeStamp Functions 

Description 

GetMinute 

Returns an integer from 0 to 59 to represent the 
minute of the hour, based on the selected 
timestamp. 

GetMonth 

Returns an integer from 1 to 12 to represent the 
month of the year, based on the selected 
timestamp. 

GetYear 

Returns an integer for the year based on the 
selected timestamp and displays it as a 4-digit 
integer. 

TimeDifference 

Returns the result of subtracting the second 
timestamp argument from the first timestamp 
argument, in a human-readable format. 

TimeDifferencelnDays 

Returns the result of subtracting the second 
timestamp argument from the first timestamp 
argument, in days. 

TimeDifferencelnHours 

Returns the result of subtracting the second 
timestamp argument from the first timestamp 
argument, in hours. 

TimeDifferencelnMinutes 

Returns the result of subtracting the second 
timestamp argument from the first timestamp 
argument, in minutes. 

TimeDifferencelnSeconds 

Returns the result of subtracting the second 
timestamp argument from the first timestamp 
argument, in seconds. 
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TimeStamp Functions 

Description 

TimestampGranularity 

Note: This function is held in memory, 
therefore you can only use it in Rules, Filters, 
and Data Monitors. You cannot use the 
function in resources like Queries and 

Reports, and other resources that rely on 
persisted data. 

Returns timestamp values at a granular level. This 
function is only available for in-memory operations 
like rules, data monitors, and channels; but not for 
reports, queries, and trends. 

Includes the following timestamp granularity 
options: 

• getyearonly 

Returns a timestamp value of the first day of the 
year, first month of the year, and year; and 
zeroes out the hours, minutes, and seconds. 

For example, for a given timestamp of 4 Oct 

2011 15:19:52 <Managertimezone> , the 
calculated value is 

1 Dan 2011 00:00:00 <Managertimezone> 


• get_year_month 

Returns a timestamp value of the first of the 
month, month, and year; and zeroes out the 
hours, minutes, and seconds. For example, for 
a given timestamp of 4 Oct 201 1 15:19:52 
<timezone>, the calculated value is 

1 Oct 2011 00:00:00 <Managertimezone> 


• get_year_month 

Returns a timestamp value of the first of the 
month, month, and year; and zeroes out the 
hours, minutes, and seconds. For example, for 
a given timestamp of 4 Oct 201 1 15:19:52 
<timezone>, the calculated value is 

1 Oct 2011 00:00:00 <Managertimezone> 


• get_year_month_day 

Returns a timestamp value of the date, month, 
and year only; and zeroes out the hours, 
minutes, and seconds. For example, for a given 
timestamp of 4 Oct 2011 15:19:52 <timezone>, 
the calculated value is 

4 Oct 2011 00:00:00 <Managertimezone> 
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TimeStamp Functions 

Description 


• get_year_month_day_hh 

Returns a timestamp value of the current date, 
month, year, and hours; and zeroes out the 
minutes and seconds. For example, for a given 
timestamp of 4 Oct 2011 1 5: 1 9:52 <timezone>, 
the calculated value is 

4 Oct 2011 15:00:00 <Managertimezone> 


• get_year_month_day_hhmm 

Returns a timestamp value of the current date, 
month, year, hours, and minutes; and zeroes 
out the seconds. For example, for a given 
timestamp of 4 Oct 2011 15:19:52 <timezone>, 
the calculated value is 

4 Oct 2011 15:19:00 <Managertimezone> 


• get_year_month_day_hhmmss 

Returns a timestamp value of the date, month, 
year, hours, minutes, and seconds. For 
example, for a given timestamp of 4 Oct 201 1 
15:19:52 <timezone> , the calculated value is 

4 Oct 2011 15:19:52 <Managertimezone> 

Note: You can test (click Calculate on the dialog for using this function in your variable) how each 
TimestampGranularity option calculates the value before you save the variable. The Manager’s 
timezone is used in calculation. 


Type Conversion Functions 

ConvertAddressToString 

Converts a given IPv4 address value, for example, 192.0.2.0 , to string. 

ConvertListToString 

Takes as an argument the value of a multi-valued list entry and returns it as a comma-separated string 
(with each entry in the same format as displayed in a channel). This function works for both multi- 
valued session lists and active lists with overlapping entries. 

For example, suppose you have a session list set up to show usernames and IP addresses associated 
with login sessions. You would get user names from the session list via the GetSessionData variable. 
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If there are three user names on the list (for example, darren, samantha, and endora), the 
ConvertListToString variable will return the three names (for example, [darren, samantha, 
endora]). You could do the same with IP addresses. 

To use ConvertStringToList, first add a variable with the "GetSessionData" function. The nested fields 
that show up in the field selector (<VariabLeNameFromSessionList>.<FieLdName>) can then be 
selected as arguments to this function. 

For more about session lists, see "Identity Correlation" on page 569 and "List Authoring" on page 469. 

Note: See also 

• "ConvertStringToList" 

• "List Functions" 


ConvertNumberToString 

Takes as an argument any number (integer, double, and soon) and returns it as a string. 

ConvertResourceToReference 

Takes a resource, for example, an asset, and converts it to a reference. Use this on an asset field you 
want, for example, Target Asset. This allows you to use a rule action to aggregate on that function, then 
use it to add an asset to an active list through the list’s asset reference subtype. 

Note: From an active channel containing the asset field, you cannot use this variable function to 
add the asset to an active list, even if the active list contains a resource reference field of subtype 
Asset. In other words, this variable function is not available for mapping assets from channels. 


ConvertStringToDouble 

Returns a double (floating point number) based on the selected string. For example, if a character string 
event field contained 3.19, ConvertStringToDouble would return a numeric value of 3.19. 

ConvertStringToDate 

Converts a date and time pattern string to a timestamp format. Your string input formats can include the 
time in hours, seconds, and milliseconds; the AM/PM marker; and timezone. Example input formats 
you can use: 

month/day/shortyear or month/day/f ullyear 

You can optionally include the time in hours, seconds, and milliseconds; the AM/PM indicator; and 
timezone. For example: 

mm/dd/yy hh:ss PM PST 

You can specify the month by its name, for example March or the abbreviation Mar (case insensitive); 
or by its number, for example 03 or 3. 
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For a complete list of Java-specified formats supported by this conversion function, refer to 
http://docs.oracle.eom/javase/7/docs/api/. Read the documentation for the SimpleDateFormat class 
containing details on patterns and examples. 

Note: This function is held in memory, therefore you can only use it in Rules, Filters, and Data 
Monitors. You cannot use the function in resources like Queries and Reports, and other resources 
that rely on persisted data. 


ConvertStringToInteger 

Returns a 4-byte integer based on the selected string. 

ConvertStringTolPAddress 

Takes an IPv4 address string and returns the binary IPv4 address value. 

ConvertStringTolPv6Address 

Takes an IPv6 address string and returns the binary IPv6 address value. You can enter a full or 
compressed IPv6 address string. 

If your IPv6 string input contains blocks of 4-hex digits that are all zeroes, the function returns the 
compressed IPv6 address value. For example, if you enter 

2001 :db8: 0000 : 0000 : 0000 : 0000 : 0000 : 0000 

the function returns 2001 :db8: : 

If the input string is an IPv4 address, the function maps the IPv4 string to a compressed 128-bit IPv6 
address value by prefixing the resulting IPv6 value with 64 "zero" bits and 16 "one" bits followed by the 
IPv4 address itself. For example, if the IPv4 string is 

192.0.2.24 

the conversion to IPv6 value is presented as 
: :FFFF:192.0.2.24 

Tip: Refer to the following websites for information about IPv4 embedding into IPv6 address: 

https://tools.ietf.Org/html/rfc6052#section-2 

http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding-2.htm 

Note: This function is held in memory, therefore you can only use it in Rules, Filters, and Data 
Monitors. You cannot use the function in resources like Queries and Reports, and other resources 
that rely on persisted data. 
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ConvertStringToList 

Takes a comma-separated string and returns it as a multi-valued list. (See also "ConvertListToString' .) 
You have the option to specify a separator string other than the default comma, such as a pipe (|). 

ConvertStringToLong 

Takes an input string and returns a long (very large integer). 

ConvertStringToMACAddress 

Takes a MAC address string in the format xx:xx:xx:xx:xx:xxand returns the MAC address value. 
Hyphens used as separators are converted to colons. 

Note: This function is held in memory, therefore you can only use it in Rules, Filters, and Data 
Monitors. You cannot use the function in resources like Queries and Reports, and other resources 
that rely on persisted data. 


ConvertStringToResourceReference 

Caution: This conversion function does not check the resource's validity. If the input string has 
the correct format, the type conversion takes place. 

Takes an input string representing a resource ID ora resource URI and converts the string to a 
resource reference. 

• Enter your Resource ID string in the following format (must match exactly): 

<Resource ID ="resourceIDvaLue"l> 

where resource! Dvalue is the unique 25-character value that conforms to ArcSight conventions for 
resource IDs. This ID is auto-generated and is shown on the resource's non-editable Resource ID 
attribute. For example 

Resource ID="QjZvvPPsAABCAEcWZ6-BlEQ=="/> 

Start the input string with a left angle bracket <, and end the string with a slash and right angle 
bracket />. Enclose the resource ID value with double quotes. Do not use a URI format for the 
resource ID. 

• Enter your Resource URI string in the following format (must match exactly): 

Resource URI ="/URI"> 

where /URI is the URI to the resource. For example, the input can be 

<Resource URI="/All Queries/ArcSight Adminstration/Connectors/System 
Health/Cache/Cache History by Connectors"/> 
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Note: This function is held in memory, therefore you can only use it in Rules, Filters, and Data 
Monitors. You cannot use the function in resources like Queries and Reports, and other resources 
that rely on persisted data. 

Value List Functions 

All functions in this category are held in memory, therefore you can only use them in Rules, Filters, and 
Data Monitors. You cannot use these functions in resources like Queries and Reports, and other 
resources that rely on persisted data. 

Caution: Make sure you are getting values from case-sensitive lists only. Getting values from 
case-insensitive lists will negatively affect performance. 


Value List 

Functions 

Description 

DistinctListValue 

Takes a list and returns list elements, excluding null and duplicate values. The 
entries are enclosed in double quotes and separated by commas. 

GetListElement 

Takes two parameters, a list field and a list index (an integer), and returns the 
value from the specified nth index. The first list element is index 0. See "Using 
Functions: Examples with Lists" on the next page for additional information. 

GetSizeOfList 

Takes as an argument the value of a multi-valued list entry and returns the size 
of the list. 

For more about session lists, see "Identity Correlation" on page 569 and "List 
Authoring" on page 469. 

See "Using Functions: Examples with Lists" on the next page for additional 
information. 

Notes: 

• This function works for both multi-valued session lists and active lists with 
overlapping entries. 

• This function is held in memory, therefore you can only use it in Rules, 

Filters, and Data Monitors. You cannot use the function in resources like 
Queries and Reports, and other resources that rely on persisted data. 

• More list functions are shown in "List Functions" on page 1079. 
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Value List 

Functions 

Description 

Listlntersection 

Takes two lists and returns a single list containing values that are common to 
both lists, including null and duplicate values. Entries are enclosed in double 
quotes and separated by commas. Null values are represented as empty 
strings (“”). If Listl and List2 each contain one null value and 1 .0.0. 1 , this 
interested list is returned: 


• 0 • 0 • I”, ”1 .0.0.1” 

ListUnion 

Takes two lists and returns a single list containing combined entries of both 
lists, including duplicates and null values. The entries are enclosed in double 
quotes and separated by commas. Null values are represented as empty 
strings (“”). 

NonNullListValues 

Takes one list and returns a list of elements except null values. The entries are 
enclosed in double quotes and separated by commas. 

SortListValues 

Takes one list and returns a list of elements, excluding null values, sorted in 
ascending order. The entries are enclosed in double quotes and separated by 

commas. 


Using Functions: Examples with Lists 

Getting Login Session Data from a Session List 

Objective: 

To get the number of login sessions maintained in a session list. 

This scenario uses: 

• Session list to be referenced by GetSessionData 

• "GetSessionData" function specifying the session list from which to get values 

• "GetSizeOfList" function that uses the GetSessionData variable as an argument 

• "ConvertStringToList" function that uses the GetSessionData variable as an argument 

We name the variable GetLoginsSessionData and use GetSessionData function. For this variable, 
specify the session list as the source of values. You can then select the nested fields that show up in 
the field selector: 

(<VariabL eNameFromSessi onList>.<FieL dName > ) 
as the argument. 
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If there are three user names on the list (for example, darren, samantha, and endora), the 
GetSizeOfList function returns the number of names on the list (for example, [3]). You could do the 
same with the IP addresses. 


After you have specified the field values to be taken from the session list, you can further use the 
GetSizeOfList and ConvertStringToList for additional methods to get your session data. 

GetSessionData list function shows up as argument to ConvertListToString and 
GetSizeOfList Type Conversion functions. 


Inspect/Edit 


Add Variable 


Inspect/Edit 


0 Global Vanable:Geti.ognsSess... 


Attrfcutes 


Parameters Local Variables I Nbtes 


Function: GetSessionData 

Retrieve session data 

Arguments 

List ’ „ ~ 

GetLogmsSessionData 

Field Mappng 

For each key field, select a matchnd SecuntyEvent field. 


Name 
User Name 


Preview 

Set a value for each key field. 
Name 

I Key Fields 
User Name 


Value 


Name: | ConvertlistToS tring| 

Function: j ConvertListToString 


Convert a list into a comma-separated string 
Arguments 

Oust GetLoginsSessionData. Device 


Add Variable 


Field 

Attacker User ID 


Name: 


[ GetSizeOfList! 


Function: | GetSizeOfList: 

Get the size of a list 
Arguments 

© List GetLoginsSessionData . Device 

Preview 
List | 


Preview not supported for this function. 


OK 


d 


Cancel 


Help 


Extracting a List Element from an Active List 

Objective: 

To extract the IP address from an active list containing expired audit events. 

This scenario uses: 

• Active list 

• "ConvertStringToList" 
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• "Using Functions: Examples with Lists" 

• "ConvertStringTolPAddress" 

The scenario uses the value from DeviceCustomString4, where list elements are separated by a pipe 

(I): 

desktopl . somecompany.com | mwhit | 192 .0.2 .0 | Ant antic a | ENG 

In the string, the IP address is list element index 2. To extract the IP address, create a chain of three 
variables as follows: 

1. parse_expired_entry = ConvertStringToList(DeviceCustomString4, "|") 

2. get_ip_elem = GetListElement(parse_expired_entry, 2) 

3. convertedjpa = ConvertStringTolpAddress(get_ip_elem) 

Variable Availability and Contexts 

Not all variables are available in all contexts. 

• These functions are only available for use with event schemas: 

■ "ConditionalEvaluation" 

■ "HasRelationship" 

■ "AliasField" 

• These functions are not available for use in SQL based operations: 

■ "ConvertListToString" 

■ "ConvertStringToList" 

■ "GetSizeOfList" 

■ "EvaluateVelocityTemplate" 

■ "Java Mathematical Expressions" 

• Active Channels can evaluate 

■ "Group Functions" 

■ "Category Model Function" 

■ "List Functions" 

only by sending a request to the Manager. Functions of these types are not evaluated on the 
ArcSight Console client, unlike other variable functions. If you create active channels that use 
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these function types, keep in mind that there will be a slight delay in an ArcSight Console channel 
display of these values. 

See also "Applying a Field Set to an Active Channel" on page 216. 


Variable Functions for In-Memory Operations 

Functions listed below are used for in-memory operations only. This means you only use them on 
rules, filters, and data monitors. Such functions will not work on queries, reports, and active channels, 
which rely on persisted data. 

• "Java Mathematical Expressions" 

• "EvaluateVelocityTemplate" 

• "TimestampGranularity" 

• Some functions in "Type Conversion Functions" 

• All functions in "Value List Functions" 


Velocity Templates 

ESM supports the use of velocity templates or scripts as defined by The Apache Velocity Project 
(http://velocity.apache.org/). Velocity templates are a means of specifying dynamic or variable inputs 
to, or outputs from, underlying Java code. 

There are a number of places where a person familiar with Velocity templates can specify inputs using 
Velocity, instead of a literal value, to greatly enhance the results. 

Caution: Velocity templates are for advanced users 

• You must be experienced in using Velocity templates. 

Because Velocity templates have such wide-ranging and intricate possibilities, mis-application 
or inappropriate application is entirely possible. HP cannot assume responsibility for adverse 
results caused by user-supplied Velocity templates. 

• HP ArcSight does not provide error checking or error messaging for user-created velocity 
expressions. Refer to the Apache Velocity Project web page at http://velocity.apache.org/for 
more information on using velocity templates. 

. Velocity template based variables are held only in memory and, therefore, can be used only in 
Rules, Filters, and Data Monitors. Velocity template based variables cannot be used in 
resources like Reports, which rely on persisted data. (There is a set of velocity references 
specifically for use in Reports. See "Velocity References for Reports" on page 1097 for more 
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information.) 

. Referencing Variables and Fields in Velocity Expressions. Any variable that a velocity 
expression references must be local to the resource. You can refer to local variables and fields 
in a velocity expression. 

If you have a global variable that you want to use in a velocity expression, use the +/-Global 
Variable button B V~ Global variable... | Qn " 0 ornrnon Conditions Editor (CCE)" to make it 
available in the resource. For more information, see "Adding or Removing Global Variables 
Using the CCE" on page 877. 

For more information on variables in general, see "Variables" on page 1069 and "Global 
Variables" on page 555. 


Velocity Application Points 

Velocity template support appears both in the user interfaces and in certain configuration files. The 
designated Velocity access points are described in the following table. Stated briefly, Velocity 
templates can be applied in most places where a literal string might be enhanced by a conditional or 
variable string. Common examples are formatting time expressions or condensing fine units into more 
meaningful groupings. 


Velocity Template Usages 


Application 

Point Description 

Rules Action 

Parameters 

You can use Velocity templates in Add Action dialog boxes to create or edit fi red- 
rule behavior. You get to these from the Actions tab or the Rules Editor. The 
Command and Parameters fields for Execute Command actions are Velocity 
candidates, as is the message-subject text in the Message field of Send 
Notification actions. 

Custom 

Columns 

Velocity templates are also applicable in the Cell Format and ToolTip Format 
panels of the Custom Columns Editor, which are described in "Customizing 
Columns" on page 236. 

SmartConnector 

Configuration 

The URI strings in the Default Content tab of the Connector Editor can accept 
Velocity templates. 

Case Audit 

Events 

Audit events concerning cases can also be customized with Velocity templates, 
through properties files. In the case. default. properties or case. properties files 
(which overrides the former file), found at $ARCSIGHT_HOME/config/audit, you 
can replace the expression in a key-value pair with a template variable or specify 
an additional field. 
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Velocity Template Usages, continued 


Application 

Point 

Description 

Notification 

Messages 

In addition to using the Message field of Send Notification actions in the Add 

Action dialog box, you can also add Velocity templates to the destination-oriented 
notification configuration files located with the ArcSight Manager at $ARCSIGHT_ 
HOME/conf ig/notif ication. This text controls message content (in contrast to 
the subject line). 

Reports Text 
Fields 

You can use a specific set of Velocity references for Report parameters when 
creating, editing, scheduling or running Reports and Focused Reports. Velocity 
references for Reports are covered in detail in "Velocity References for Reports" 
on page 1097. 


Using Velocity Expressions to Retrieve Values from 
Event Fields or Variables 

Velocity expressions can be used to construct rule actions or velocity variables that need to access 
values in event fields or other variables. Rule actions can use velocity expressions in commands and 
notification messages. In these contexts, you need to write the velocity expression (there are no drop- 
down lists of fields provided, unlike in rule conditions). (See "Managing Rule Actions" on page 515 and 
"Rule Actions Reference" on page 520.) 

You can construct most global variables and local variables simply by using the provided pick lists of 
event fields in the functions. However, the Arithmetic function "Variable Definition Fields" and the 
String function ' Variable Definition Fields are velocity variables that require you to write a velocity 
expression. (See "Local and Global Variables" on page 1070.) 

The syntax for constructing a velocity expression is the same, whether for rule actions or velocity 
variables. 

Retrieving Values from Event Fields 

To retrieve the value of an event field, use the field name in camel notation without any spaces, 
preceded by a dollar sign ($): 

$<fieldNameInCamelNotation> 

For example, to retrieve the value of the Attacker Address field, use: $attackerAddress 
For more about event fields, see "Data Fields" on page 885. 

Using Variables in a Velocity Expression 

To retrieve the value of a variable, use the variable name preceded by a dollar sign ($). If the variable 
name contains a dot, remove the dot and use camel case. If the variable name contains a space, use 
an underscore. See the following formats: 
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$<VariableName> 

$<variable_Name> 

For example: 


Variable display name 

Velocity notation 

Credit Card Number 

$Credit_Card_Number 

dhcp. Hostname 

$dhcpHostname 

Login User. Account Number 

$Login_UserAccount_Number 


For more information, see "Variables" on page 1069. 


Using Velocity Expressions in Rule Actions 

You can use velocity expressions in rule actions to retrieve the value of an event field or variable. 
These expressions can be used in commands or notification messages in rule actions. 

For details syntax and guidance on constructing velocity expressions for use in rules, see "Using 
Velocity Expressions to Retrieve Values from Event Fields or Variables" on the previous page. 

Example of Rule Action that Uses Velocity Expressions to 
Retrieve Values 

Following is an example of using both types of velocity expressions in a rule action to retrieve values 
from an event field (Attacker Address) and a variable (dhcp . Hostname): 

1. In the Navigator panel, choose Rules from the drop-down menu. 

2. Create or edit a rule. 

3. Click the Actions tab. 

4. Right-click a rule action and choose the Send Notification rule action. 

The notification subject can be constructed as follows: 

"Brute force login attempt from IP Address: $attackerAddress Hostname: 
$dhcpHostname” 

5. Click OK or Apply to save the rule. 

When the rule action is triggered, the notification message will replace the event field velocity 
expression "$attackerAddress" with the value of the Attacker Address field, and the variable 
velocity expression "$dhcpHostname" for the value of dhcp. Hostname. 
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More Velocity Template Examples 

You might use a Velocity template in a Zone URI field in an Connector Configuration Editor to specify a 
conditional target, as in: 

#if ( JdeviceHostName. equals ( "foobar") )/All Customer s/SuperCustomer#end 

If you are setting up zones based on customers and you want to populate those values dynamically, 
you could use the following statement to populate fields based on host names, and so forth. For 
example, if you have one connector that collects events from devices monitoring different customers 
networks, you may want to set the customer name based on the device hostname. 

device hostname = companyx.arcsight.com 

The following template sets the customer name to arcsight.com: 

CustomerURI=/All Customers/$deviceHostName . substring($deviceHostName. indexOf ( " . ") ) 

You can set the customer field from the SmartConnector as well, so events from a particular 
SmartConnector or device can be tagged as customer xyz (provided that Customer URI does exist on 
the Manager) and you can make ACLs limiting the customers' event privileges so they see only events 
tagged as customer xyz. If you have one SmartConnector that monitors devices reporting from 
multiple customers, you can dynamically set the customer name to be based on the device hostname. 
For example, if you have a customer named arcsight and the device hostname is 
device1.arcsight.com, the following template returns arcsight as the customer name: 

CustomerURI=/All Customers/$deviceHostName . s ubst ring ($deviceHostName. indexOf 
( " . ") j$deviceHostName. la st IndexOf ( " . ") ) . substning(l) 

The result would be the URI: /All Customers/arcsight 

Fora case audit event in case, default, properties, a template could consist of: 

deviceCustomString3=$hi story 


Velocity References for Reports 

The following Velocity references are available for use in "Reports' anywhere where text is used. 

These references pick up, contain, display, and print the given values. Generally, Velocity references in 
Reports are used for display and print purposes when creating, editing, scheduling or running Reports 
and Focused Reports. In some cases, they are used for more than that. For example in archived 
reports, $Archive_Report_Folder and $Archive_Report_Name determine the location where reports 
will be stored. 

Note: The following table shows the complete set of applicable references for use with Reports. 

Other types of references (such as those discussed in the previous sections of this topic) do not 
apply to Reports. However, most of the details in "Velocity Template Usage Tips also do apply to 
Velocity Templates for Reports. 
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Velocity References for Reports 


Category 

Reference 

Description 

Report 

$ReportName 

Prints the name of the report, as specified in the Name field 
on the Attributes tab of the Report Editor. 


$AccessDisclaimer 

Prints a disclaimer statement regarding the user 
permissions with which the report was run. The disclaimer 
statement is a read-only string which is generated when 
report data has been filtered due to limited access privileges 
of the user 

Reports are generated only with data for which the current 
user has access privileges. Depending on user permissions 
for the user running a given report, access to some types of 
events or data may be curtailed. In such cases, the report is 
generated with all the information for which the user has 
access privileges. Events and data requiring higher-level 
access privileges are not included in the report. The access 
disclaimer statement is a standard explanation of the 
limitations of such a report. 


$CurrentPageNumber 

Prints the current page number of the report. 


$T otal PageN umber 

Prints the total number of pages in the report. 

Time 

$CurrentDateTime 

Prints the current date and time. (Same as $Now) 

Example output: 12-06-2011-15:32:19. 

Tip: Formats for dates and times depend on your Console 
preference settings. To change the way dates and times are 
displayed throughout the Console, choose Edit > 
Preferences, then click the Date & Time button. For more 

information, see "Setting Date and Time Formats" on 
page 86. 


$CurrentDate 

Prints the current date per your format preferences. 

Example output: 12-06-2011. 


$CurrentMonth 

Prints the current month. 

Example output: 12-2011. 


$CurrentWeek 

Prints the current week. 

Example output: 49-201 1 (for December of 201 1 ). 


$Now 

Prints the current date and time. (Same as 
$CurrentDateTime) 

Example output: 12-06-2011-15:33:00. 
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Velocity References for Reports, continued 


Category 

Reference 

Description 


$Today 

Prints today's date. 

Example output: 12-06-2011-00:00:00. 


$CurrentDateTime- 

<Number>d 

Prints the current date and time minus the number of days 
you specify. 

For example, if you ran the report on 12-06-2011 at 15:33:00 
and specified the current date and time minus 1 day 
($CurrentDateTime-ld), this reference would output 12-05- 
2011-15:33:00. 

If, on the same day, you specified the current date and time 
minus 3 days ($CurrentDateTime-3d), this reference would 
output 12-03-2011-15:33:00 

Parameters 

$Report_Format 

Prints the name of the report format that is configured as the 
default. Output formats are: 

• pdf- Adobe PDF file. 

• xls- Microsoft Excel file for tables and charts. (See 

"Setting Default and Custom Report Parameters" on 
page 402 for additional notes on the Report Format 
attribute, specifically on the XLS format.) 

. rtf - Rich-text format document 

. csv - Tabular data as a list of comma-separated values. 

. html - Web page displayed by the default web browser 

If the default output format for the report is set to html , then 
$Report_Format reference simply will print the word html. 

See "Setting Default and Custom Report Parameters" on 
page 402 for information on how to set the default output 
formats for reports when creating reports. 

See also "Running a New or Archived Report" on page 449 
in for information about setting parameters at report runtime. 


$Page_Size 

Prints the page size of the report. 

Example output: Letter [8.5x11 in] 


$Run_as_User 

Prints the user name specified, if any, for the Run as User 
parameter in the report. 


$Email_to 

Prints the e-mail address specified, if any, for the Email to 
parameter in the report. 
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Velocity References for Reports, continued 


Category 

Reference 

Description 


$Email_Format 

Prints the e-mail format specified, if any, for the Email 

Format parameter in the report. For example, Send URL or 
Attach Report. 


$Filter_by 

Prints the filters used by the referenced query for this report. 


$Archive_Report_ 

Folder 

Prints the folder location where the archived report is stored. 


$Archive_Report_ 

Name 

Prints the name of the archived report. 


$Archive_Report_ 

Expiration_Time 

Prints the expiration time for an archived report. 


$ 

<ComponentlD> 

.RowJJmit 

Prints the row limit for the specified component. 

Tip: <ComponentlD> refers to the data components or 
building blocks of a report. To view the components of a 
given report, right-click the report in the Navigator panel, 
choose Edit Report, and click the Data tab for the report. 

For example, if the report contains a component called 

Table, you can display related information by using the 
Velocity reference $Table. Row_Limit, $Table.Time_Zone, 
and so forth. 

Similarly, if the report, contains components called Chartl, 
Chart2, and Chart3; you can display related information on 
each of the charts by using references such as 

Chartl. Time_Zone, Chart2.Start_Time, andsoforth. 


$ 

<Component!D> 

.Time_Zone 

Prints the time zone for the specified component. 

For example, Table . T ime_Zone would output the time zone 
used for the data in a component called Table in your report. 

Example output: America/LosAngeles 


$ 

<ComponentlD> 

.Start_Time 

Prints the start time for the specified component. 

For example, Table. Start_Time would output the start time 
used for the data in a component called Table in your report. 
(Start Time is a report parameter that can be configured on a 
per-component basis.) 

Example output: 12/05/2011 17:46:50.406-0800 
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Velocity References for Reports, continued 


Category 

Reference 

Description 


$ 

< Component! D > . E nd_ 
Time 

Prints the end time for the specified component. 

For example, Table. End_Ti me would output the end time 
used for the data in a component called Table in your report. 
(End Time is a report parameter which can be configured on 
a per-component basis.) 

Example output: 12/05/2011 18:00:21.140-0800 


$< 

ComponentID 
> . < Parameter_name> 

Prints the value of the specified component parameter. 


$Custom.<Parameter_ 

name> 

Prints the value a custom component parameter. 


Velocity Template Usage Tips 

• Use with strings and numeric values only. 

Velocity templates apply only to fields that contain string or numeric values. 

• Use with dynamic parameters and ArcSight variables. 

You can use all of the dynamic time parameters you see in the Active Channel Editor and 
elsewhere, such as $Now and $CurrentDateTime. The same is true for time elements, including s 
(second), m (minute), d (date), M (month), w (week), and y (year). To use any event data field as a 
variable, express its displayed name as a one-word, camel case string prefixed with a dollar sign. 
For example, "Source Address" would be $sourceAddress. For details about using variables in a 
velocity expression, see "Using Variables in a Velocity Expression" on page 1095. 

• Regular expressions are not supported. 

Use of regular expressions is not tested or supported. 

• Test using active channel custom field. 

You can conveniently test Velocity templates by trying them first in a customField of an active 
channel. 


Views 

"Views" is a collective term for all the different options you have for seeing raw and processed "Events" 
information in the ArcSight Console's Viewer panel. 
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The Console's Viewer panel can display event information in several formats and is readily 
customizable. Views may be customized to best reflect an enterprise and can be organized in a 
hierarchical structure with drill-down functionality. There is a list of chart-format views in addition to 
grids, maps, and dashboards. 

See also "Viewing" on page 46 and "Monitoring Active Channels" on page 210. 


View Types 

Each view type represented by a tab at the top of the Viewer panel serves as a container for all 
individual instances of that type of view. For example, all data monitors opened in a dashboard remain 
part of it, and also inherit any visual choices you make for that view. Using the View Layout icon at the 
lower-right corner of the Viewer panel you can choose to tile or tab the individual views. When you tab 
the views, you select them using the tabs at the bottom of the panel. 



With views you have the flexibility to monitor an enterprise from various perspectives. Views can be 
customized to best capture and reflect an enterprise's network infrastructure and can also be organized 
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in a hierarchical structure with drill-down functionality. Views can vary in scope and scale, from broad 
to detailed, depending on how the enterprise is monitored and organized. 

The ArcSight Console provides different views in which you can display event data in the Viewer panel. 
You can select which views to display by selecting options from the Views menu. 


Dashboards 

Dashboards provide a more customized view of data, letting you create individual "instrument panels," 
each of which can display results based on different event data and filter conditions, and in different 
formats. 

From the Viewer panel, you can change the view type or format of individual tabs from grid to line chart, 
barchart, pie chart, or graphic. In addition, you can float the display of individual sub-view tabs, 
dashboards, and individual data monitors into separate windows to expand or resize individual 
displays. 

While chart views display a summary of events, grid views display each event. Grid views display 
events organized in rows and columns. As new events occur, they are inserted at the top of the grid as 
a new row. Rows contain events while columns contain data fields. 


Other Views 

The Console automatically shows HTML information such as reports, references pages, and results for 
the Web Search tool in your default Web browser. 

The Viewer panel is where you use the Find Resource query editor and result details. (See also 

"Finding Resources" on page 687.) 


Vulnerabilities 

A vulnerability is a hardware, firmware, or software state that leaves an automated information system 
(AIS) open for potential exploitation. It could be due to anything, including circumstance, configuration, 
design, or implementation. A vulnerability can also be described as a weakness in automated system 
security procedures, administrative controls, physical layout, internal controls, and so forth, that could 
be exploited by a threat to gain unauthorized access to information or disrupt critical processing. 

Vulnerabilities are discovered using scanners and their associated SmartConnectors. The Manager 
imports the output from vulnerability scanners, recording them as items in the Vulnerabilities resource 
tree, in the Assets section of the Navigator panel. Vulnerabilities are mapped to their associated 
devices. Vulnerabilities describe asset threats and exposures and provide more information with a link 
to Knowledge Base articles or notes. 
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Vulnerability Groups 

Vulnerability groups are created to store similar groups of vulnerabilities in a single location. Groups can 
be created within groups to meet enterprise needs. When a group is created within a group, the new 
group inherits the existing group's permissions. If a group is deleted, the vulnerabilities within that group 
are also deleted. The following groups are provided: 

• Shared: vulnerabilities to which logged-in users have permission. 

• Unassigned: vulnerabilities that are not assigned to a group. 

If you have Administrator access you will have another group named All Vulnerabilities that contains all 
vulnerability groups and vulnerabilities. 


Standardized Vulnerability Tracking 

In the Vulnerabilities tab of the Assets resource tree, there is a branch for using the MITRE 
Corporation's CVE (Common Vulnerabilities and Exposures) standardized vulnerability naming and 
reference system. 

CVE is a list (dictionary) of standardized names for vulnerabilities and other information security 
exposures. CVE seeks to standardize the names for all publicly known vulnerabilities and security 
exposures. 

You can map CVE as one of its vulnerability reference authorities, within its Navigator panel resource 
tree. This information can serve, for example, to determine the significance of IDS events. The goal of 
CVE is to provide a common naming scheme, shared by vulnerability scanners and other security 
devices to link real-time events to asset vulnerabilities. 

You can search its CVE-related Navigator panel resources by CVE name, and to include CVE names 
in its ArcSight Console or report output. 

The requirements for CVE compatibility are fulfilled by the capacity to analyze event streams utilizing 
CVE names, generate reports for CVE-related vulnerabilities, map events to asset vulnerabilities, and 
the existence of documentation for CVE-related functionality. 


Web Browsers 

You can launch HTML-based displays in an external Web browser from the ArcSight Console. 

Note: Refer to the Support Matrix applicable to your ESM version for an official list of supported 
Web browsers. 
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Browser Preferences for HTML Displays 

The ArcSight Console offers a general preference option for HTML display of various information in 
your preferred external Web browser. 

The way you set these browser preferences determines display of reports, knowledge base articles, 
graphs and charts, and so forth. (For information on the general setting for HTML viewing preferences, 
see the table on "Program Preferences" for information on preferred Web browsers.) 


Browser Preference Overrides for Specific Features 

Additionally, you can set your viewer preference for HTML displays specifically for certain features, 
and override the general preference setting for these specific displays. Some examples are: 

• Integration command configurations. HTML display preferences for integrated command results are 
set as attributes on the command configuration. See "Configurations Attributes " on page 636 for 
more information. 


Note: For ESM 6.5c and later, use the ArcSight Command Center to run Logger searches. 
Refer to the Command Center User's Guide for information on running searches. 


• Online Help. You can set a preference specific to the Online Help for display in an external Web 
browser. 
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Send Documentation Feedback 

If you have comments about this document, you can contact the documentation team by email. If an 
email client is configured on this system, click the link above and an email window opens with the 
following information in the subject line: 

Feedback on ArcSight Console User's Guide (ESM 6.9.1c) 

Just add yourfeedback to the email and click send. 

If no email client is available, copy the information above to a new message in a web mail client, and 
send yourfeedback to arc-doc@hpe.com. 

We appreciate yourfeedback! 
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